Re: [PATCH v6 5/7] fwu: meta-data: switch to management by common code
On Thu, 16 Mar 2023 at 13:56, Ilias Apalodimas wrote: > > On Mon, Mar 06, 2023 at 05:18:41PM -0600, jassisinghb...@gmail.com wrote: > > From: Jassi Brar > > > > The common code can now read, verify and fix meta-data copies > > while exposing one consistent structure to users. > > Only the .read_mdata() and .write_mdata() callbacks of fwu_mdata_ops > > are needed. Get rid of .get_mdata() .update_mdata() .get_mdata_part_num() > > .read_mdata_partition() and .write_mdata_partition() and also the > > corresponding wrapper functions. > > > > Signed-off-by: Jassi Brar > > Reviewed-by: Etienne Carriere > > --- > > cmd/fwu_mdata.c | 17 +- > > drivers/fwu-mdata/fwu-mdata-uclass.c | 165 --- > > drivers/fwu-mdata/gpt_blk.c | 124 +- > > include/fwu.h| 199 --- > > lib/fwu_updates/fwu.c| 235 --- > > 5 files changed, 38 insertions(+), 702 deletions(-) > > > Etienne, Sughosh, this looks correct, but can someone > verify it doesn't break the ST board? I will check on the ST board by tomorrow and get back. -sughosh
[PATCH v3 00/11] Integrate EFI capsule tasks into u-boot's build flow
This patchset aims to bring two capsule related tasks under the u-boot build flow. One is the embedding of the public key into the platform's dtb. The public key is in the form of an EFI Signature List(ESL) file and is used for capsule authentication. This is being achieved by adding the signature node containing the capsule public key in the architecture's u-boot.dtsi file. Currently, the u-boot.dtsi file has been added for the sandbox and arm architectures. The path to the ESL file is being provided through a Kconfig symbol(CONFIG_EFI_CAPSULE_ESL_FILE). Changes have also been made to the test flow so that the keys used for signing the capsule, and the ESL file, are generated prior to invoking the u-boot's build, which enables embedding the ESL file into the dtb as part of the u-boot build. The other task is related to generation of capsules. Support is being added to generate capsules by specifying the capsule parameters in a config file. Calling the mkeficapsule tool then results in generation of the corresponding capsule files. The capsules can be generated as part of u-boot build, and this is being achieved through binman, by adding a capsule entry type. The capsules can be generated either by specifying the capsule parameters in a config file, or through specifying them as properties under the capsule entry node. If using the config file, the path to the config file is to be specified through a Kconfig symbol(CONFIG_EFI_CAPSULE_CFG_FILE). Changes have also been made to the efi capsule update feature testing setup on the sandbox variants. Currently, the capsule files and the public key ESL file are generated after u-boot has been built. This logic has been changed so that the capsule input files along with the keys needed for capsule signing and authentication are generated prior to initiation of the u-boot build. The placement of all the files needed for generation of capsules, along with the generated capsule files is under the /tmp/capsules/ directory. Currently, the capsule update feature is tested on the sandbox and sandbox_flattree variants in CI. The capsule generation through config file is enabled for the sandbox variant, with the sandbox_flattree variant generating capsules through the command-line parameters. The document has been updated to reflect the above changes. Changes since V2: This version embeds the capsule auth related public key through the u-boot.dtsi file. The capsule generation has been moved to binman. The changes in the test setup have been split into multiple patches, instead of a single monolithic patch. * Add the public key ESL file through the u-boot.dtsi * Add the dtsi files for sandbox and arm architectures * Add a check in the Makefile that the ESL file path is not empty. * Highlight the need to use the u-boot.dtsi file for embedding the public key ESL into the DTB. * Add a Kconfig boolean symbol CONFIG_EFI_USE_CAPSULE_CFG_FILE which can be used to generate capsules through config file or parameters. * New patch which generates capsules through binman replacing the earlier make target. * New patch setting up the capsule files needed for CI run * New patch for setting up the capsule files in the pytest setup before initiation of u-boot build. * New patch for removing the capsule key and ESL generation logic from the capsule test config file. * New patch to add the capsule generation config file for sandbox. * New patch for generating the capsules and capsule input files through binman. Sughosh Ganu (11): nuvoton: npcm845-evb: Add a newline at the end of file capsule: authenticate: Add capsule public key in platform's dtb doc: capsule: Document the new mechanism to embed ESL file into dtb tools: mkeficapsule: Add support for parsing capsule params from config file doc: Add documentation to describe capsule config file format binman: capsule: Add support for generating capsules CI: capsule: Setup the files needed for capsule update testing test: py: Setup capsule files for testing test: capsule: Remove public key embed logic from capsule update test sandbox: capsule: Add a config file for generating capsules sandbox: capsule: Generate capsule related files through binman .azure-pipelines.yml | 22 ++ .gitlab-ci.yml| 20 + arch/arm/dts/nuvoton-npcm845-evb.dts | 2 +- arch/arm/dts/u-boot.dtsi | 17 + arch/sandbox/dts/u-boot.dtsi | 160 configs/sandbox_defconfig | 3 + configs/sandbox_flattree_defconfig| 1 + doc/develop/uefi/uefi.rst | 86 - lib/efi_loader/Kconfig| 11 + lib/efi_loader/Makefile | 7 + test/py/conftest.py | 92 + test/py/tests/test_efi_capsule/conftest.py| 92 + .../test_efi_capsule/sandbox_capsule_cfg.txt | 75
[PATCH v3 01/11] nuvoton: npcm845-evb: Add a newline at the end of file
Add a newline at the end of the dts, without which the build fails when including the u-boot.dtsi file. Signed-off-by: Sughosh Ganu --- Changes since V2: * New patch arch/arm/dts/nuvoton-npcm845-evb.dts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/arm/dts/nuvoton-npcm845-evb.dts b/arch/arm/dts/nuvoton-npcm845-evb.dts index 3cab7807e3..a93666cb41 100644 --- a/arch/arm/dts/nuvoton-npcm845-evb.dts +++ b/arch/arm/dts/nuvoton-npcm845-evb.dts @@ -354,4 +354,4 @@ &r1en_pins &r1oen_pins >; -}; \ No newline at end of file +}; -- 2.34.1
[PATCH v3 03/11] doc: capsule: Document the new mechanism to embed ESL file into dtb
Update the document to specify how the EFI Signature List(ESL) file
can be embedded into the platform's dtb as part of the u-boot build.
Signed-off-by: Sughosh Ganu
---
Changes since V2:
* Highlight the need to use the u-boot.dtsi file for embedding the
public key ESL into the DTB.
doc/develop/uefi/uefi.rst | 22 +-
1 file changed, 9 insertions(+), 13 deletions(-)
diff --git a/doc/develop/uefi/uefi.rst b/doc/develop/uefi/uefi.rst
index ffe25ca231..c04e62f3a5 100644
--- a/doc/develop/uefi/uefi.rst
+++ b/doc/develop/uefi/uefi.rst
@@ -495,20 +495,16 @@ and used by the steps highlighted below.
...
}
-You can do step-4 manually with
+You can perform step-4 by defining the Kconfig symbol
+CONFIG_EFI_CAPSULE_ESL_FILE. Once this has been done, the signature
+node can be added to the u-boot.dtsi file. For reference, check the
+u-boot.dtsi file for the sandbox architecture. If this node has not
+been added to the architecture's u-boot.dtsi file, this needs to be
+done. The node has currently been added for the sandbox and arm
+architectures' in the u-boot.dtsi file. Once the u-boot.dtsi file has
+been added with the signature node, the esl file will automatically
+get embedded into the platform's dtb as part of u-boot build.
-.. code-block:: console
-
-$ dtc -@ -I dts -O dtb -o signature.dtbo signature.dts
-$ fdtoverlay -i orig.dtb -o new.dtb -v signature.dtbo
-
-where signature.dts looks like::
-
-&{/} {
-signature {
-capsule-key = /incbin/("CRT.esl");
-};
-};
Executing the boot manager
~~
--
2.34.1
[PATCH v3 02/11] capsule: authenticate: Add capsule public key in platform's dtb
The EFI capsule authentication logic in u-boot expects the public key
in the form of an EFI Signature List(ESL) to be provided as part of
the platform's dtb. Currently, the embedding of the ESL file into the
dtb needs to be done manually.
Add a signature node in the u-boot dtsi file and include the public
key through the capsule-key property. This file is per architecture,
and is currently being added for sandbox and arm architectures. It
will have to be added for other architectures which need to enable
capsule authentication support.
The path to the ESL file is specified through the
CONFIG_EFI_CAPSULE_ESL_FILE symbol.
Signed-off-by: Sughosh Ganu
---
Changes since V2:
* Add the public key ESL file through the u-boot.dtsi.
* Add the dtsi files for sandbox and arm architectures.
* Add a check in the Makefile that the ESL file path is not empty.
arch/arm/dts/u-boot.dtsi | 17 +
arch/sandbox/dts/u-boot.dtsi | 17 +
lib/efi_loader/Kconfig | 11 +++
lib/efi_loader/Makefile | 7 +++
4 files changed, 52 insertions(+)
create mode 100644 arch/arm/dts/u-boot.dtsi
create mode 100644 arch/sandbox/dts/u-boot.dtsi
diff --git a/arch/arm/dts/u-boot.dtsi b/arch/arm/dts/u-boot.dtsi
new file mode 100644
index 00..60bd004937
--- /dev/null
+++ b/arch/arm/dts/u-boot.dtsi
@@ -0,0 +1,17 @@
+// SPDX-License-Identifier: GPL-2.0+
+/*
+ * Devicetree file with miscellaneous nodes that will be included
+ * at build time into the DTB. Currently being used for including
+ * capsule related information.
+ *
+ */
+
+#ifdef CONFIG_EFI_HAVE_CAPSULE_SUPPORT
+/ {
+#ifdef CONFIG_EFI_CAPSULE_AUTHENTICATE
+ signature {
+ capsule-key = /incbin/(CONFIG_EFI_CAPSULE_ESL_FILE);
+ };
+#endif
+};
+#endif /* CONFIG_EFI_HAVE_CAPSULE_SUPPORT */
diff --git a/arch/sandbox/dts/u-boot.dtsi b/arch/sandbox/dts/u-boot.dtsi
new file mode 100644
index 00..60bd004937
--- /dev/null
+++ b/arch/sandbox/dts/u-boot.dtsi
@@ -0,0 +1,17 @@
+// SPDX-License-Identifier: GPL-2.0+
+/*
+ * Devicetree file with miscellaneous nodes that will be included
+ * at build time into the DTB. Currently being used for including
+ * capsule related information.
+ *
+ */
+
+#ifdef CONFIG_EFI_HAVE_CAPSULE_SUPPORT
+/ {
+#ifdef CONFIG_EFI_CAPSULE_AUTHENTICATE
+ signature {
+ capsule-key = /incbin/(CONFIG_EFI_CAPSULE_ESL_FILE);
+ };
+#endif
+};
+#endif /* CONFIG_EFI_HAVE_CAPSULE_SUPPORT */
diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig
index c5835e6ef6..1326a1d109 100644
--- a/lib/efi_loader/Kconfig
+++ b/lib/efi_loader/Kconfig
@@ -234,6 +234,17 @@ config EFI_CAPSULE_MAX
Select the max capsule index value used for capsule report
variables. This value is used to create CapsuleMax variable.
+config EFI_CAPSULE_ESL_FILE
+ string "Path to the EFI Signature List File"
+ default ""
+ depends on EFI_CAPSULE_AUTHENTICATE
+ help
+ Provides the absolute path to the EFI Signature List
+ file which will be embedded in the platform's device
+ tree and used for capsule authentication at the time
+ of capsule update.
+
+
config EFI_DEVICE_PATH_TO_TEXT
bool "Device path to text protocol"
default y
diff --git a/lib/efi_loader/Makefile b/lib/efi_loader/Makefile
index 13a35eae6c..9fb04720d9 100644
--- a/lib/efi_loader/Makefile
+++ b/lib/efi_loader/Makefile
@@ -86,3 +86,10 @@ obj-$(CONFIG_EFI_ECPT) += efi_conformance.o
EFI_VAR_SEED_FILE := $(subst $\",,$(CONFIG_EFI_VAR_SEED_FILE))
$(obj)/efi_var_seed.o: $(srctree)/$(EFI_VAR_SEED_FILE)
+
+ifeq ($(CONFIG_EFI_CAPSULE_AUTHENTICATE),y)
+EFI_CAPSULE_KEY_PATH := $(subst $\",,$(CONFIG_EFI_CAPSULE_ESL_FILE))
+ifeq ("$(wildcard $(EFI_CAPSULE_KEY_PATH))","")
+$(error .esl cerificate not found. Configure your CONFIG_EFI_CAPSULE_ESL_FILE)
+endif
+endif
--
2.34.1
[PATCH v3 04/11] tools: mkeficapsule: Add support for parsing capsule params from config file
Add support for specifying the parameters needed for capsule
generation through a config file, instead of passing them through
command-line. Parameters for more than a single capsule file can be
specified, resulting in generation of multiple capsules through a
single invocation of the command.
This path is to be used for generating capsules through a make target,
with the parameters being parsed from the config file.
Signed-off-by: Sughosh Ganu
---
Changes since V2:
* Add a Kconfig boolean symbol CONFIG_EFI_USE_CAPSULE_CFG_FILE which
can be used to generate capsules through config file or parameters.
tools/Kconfig | 16 ++
tools/Makefile | 1 +
tools/eficapsule.h | 110
tools/mkeficapsule.c | 84 +
tools/mkeficapsule_parse.c | 345 +
5 files changed, 526 insertions(+), 30 deletions(-)
create mode 100644 tools/mkeficapsule_parse.c
diff --git a/tools/Kconfig b/tools/Kconfig
index 539708f277..9b744aba31 100644
--- a/tools/Kconfig
+++ b/tools/Kconfig
@@ -98,6 +98,22 @@ config TOOLS_MKEFICAPSULE
optionally sign that file. If you want to enable UEFI capsule
update feature on your target, you certainly need this.
+config EFI_CAPSULE_CFG_FILE
+ string "Path to the EFI Capsule Config File"
+ default ""
+ help
+ Path to the EFI capsule config file which provides the
+ parameters needed to build capsule(s). Parameters can be
+ provided for multiple payloads resulting in corresponding
+ capsule images being generated.
+
+config EFI_USE_CAPSULE_CFG_FILE
+ bool "Use the config file for generating capsules"
+ help
+ Boolean option used to specify if the EFI capsules are to
+ be generated through parameters specified via the config
+ file or through command line.
+
menuconfig FSPI_CONF_HEADER
bool "FlexSPI Header Configuration"
help
diff --git a/tools/Makefile b/tools/Makefile
index d793cf3bec..ef366f3d61 100644
--- a/tools/Makefile
+++ b/tools/Makefile
@@ -250,6 +250,7 @@ HOSTLDLIBS_mkeficapsule += \
HOSTLDLIBS_mkeficapsule += \
$(shell pkg-config --libs uuid 2> /dev/null || echo "-luuid")
hostprogs-$(CONFIG_TOOLS_MKEFICAPSULE) += mkeficapsule
+mkeficapsule-objs := mkeficapsule.o mkeficapsule_parse.o
# We build some files with extra pedantic flags to try to minimize things
# that won't build on some weird host compiler -- though there are lots of
diff --git a/tools/eficapsule.h b/tools/eficapsule.h
index 072a4b5598..42e66c6d6a 100644
--- a/tools/eficapsule.h
+++ b/tools/eficapsule.h
@@ -52,6 +52,38 @@ typedef struct {
/* flags */
#define CAPSULE_FLAGS_PERSIST_ACROSS_RESET 0x0001
+enum capsule_type {
+ CAPSULE_NORMAL_BLOB = 0,
+ CAPSULE_ACCEPT,
+ CAPSULE_REVERT,
+};
+
+/**
+ * struct efi_capsule_params - Capsule parameters
+ * @image_guid: Guid value of the payload input image
+ * @image_index: Image index value
+ * @hardware_instance: Hardware instance to be used for the image
+ * @monotonic_count: Monotonic count value to be used for signed capsule
+ * @privkey_file: Path to private key used in capsule signing
+ * @cert_file: Path to public key certificate used in capsule signing
+ * @input_file: Path to payload input image
+ * @capsule_file: Path to the output capsule file
+ * @oemflags: Oemflags to be populated in the capsule header
+ * @capsule: Capsule Type, normal or accept or revert
+ */
+struct efi_capsule_params {
+ efi_guid_t *image_guid;
+ unsigned long image_index;
+ unsigned long hardware_instance;
+ uint64_t monotonic_count;
+ char *privkey_file;
+ char *cert_file;
+ char *input_file;
+ char *capsule_file;
+ unsigned long oemflags;
+ enum capsule_type capsule;
+};
+
struct efi_capsule_header {
efi_guid_t capsule_guid;
uint32_t header_size;
@@ -113,4 +145,82 @@ struct efi_firmware_image_authentication {
struct win_certificate_uefi_guid auth_info;
} __packed;
+/**
+ * capsule_with_cfg_file() - Generate capsule from config file
+ * @cfg_file: Path to the config file
+ *
+ * Parse the capsule parameters from the config file and use the
+ * parameters for generating one or more capsules.
+ *
+ * Return: None
+ *
+ */
+void capsule_with_cfg_file(const char *cfg_file);
+
+/**
+ * convert_uuid_to_guid() - convert UUID to GUID
+ * @buf: UUID binary
+ *
+ * UUID and GUID have the same data structure, but their binary
+ * formats are different due to the endianness. See lib/uuid.c.
+ * Since uuid_parse() can handle only UUID, this function must
+ * be called to get correct data for GUID when parsing a string.
+ *
+ * The correct data will be returned in @buf.
+ */
+void convert_uuid_to_guid(unsigned char *buf);
+
+/**
+ * create_empty_capsule() - Generate an empty capsule
+ * @path: Path to th
[PATCH v3 05/11] doc: Add documentation to describe capsule config file format
The UEFI capsule can be generated either through command-line
parameters, or, by specifying those in a config file. Add
documentation to describe the format of the config file.
Signed-off-by: Sughosh Ganu
---
Changes since V2: None
doc/develop/uefi/uefi.rst | 64 +++
1 file changed, 64 insertions(+)
diff --git a/doc/develop/uefi/uefi.rst b/doc/develop/uefi/uefi.rst
index c04e62f3a5..ddf8e20cb0 100644
--- a/doc/develop/uefi/uefi.rst
+++ b/doc/develop/uefi/uefi.rst
@@ -442,6 +442,70 @@ following command can be issued
--guid c1b629f1-ce0e-4894-82bf-f0a38387e630 \
optee.bin optee.capsule
+Or alternatively, the capsule can be generated through a make target
+
+.. code-block:: bash
+
+$ make capsule
+
+Issuing the above make command requires specifying the capsule
+parameters through a config file instead. The Kconfig symbol
+CONFIG_EFI_CAPSULE_CFG_FILE is to be used for specifying the path to
+the config file.
+
+The config file describes the parameters that are used for generating
+one or more capsules. The parameters for a given capsule file are
+specified within curly braces, in the form of "key:value" pairs. All
+the parameters that are currently supported by the mkeficapsule tool
+can be specified through the config file.
+
+The following are some example payload parameters specified through
+the config file.
+
+.. code-block:: none
+
+ {
+ image-guid: 02f4d760-cfd5-43bd-8e2d-a42acb33c660
+ hardware-instance: 0
+ monotonic-count: 1
+ payload: u-boot.bin
+ image-index: 1
+ private-key: /path/to/priv/key
+ pub-key-cert: /path/to/pub/key
+ capsule: u-boot.capsule
+ }
+ {
+ image-guid: 4ce292da-1dd8-428d-a1c2-77743ef8b96e
+ hardware-instance: 0
+ payload: u-boot.itb
+ image-index: 2
+ oemflags: 0x8000
+ capsule: fit.capsule
+ }
+ {
+ capsule-type: accept
+ image-guid: 4ce292da-1dd8-428d-a1c2-77743ef8b96e
+ capsule: accept.capsule
+ }
+ {
+ capsule-type: revert
+ capsule: revert.capsule
+ }
+
+The following are the keys that specify the capsule parameters
+
+..code-block:: none
+
+image-guid: Image GUID
+image-index: Image index value
+private-key: Path to the private key file used for capsule signing
+pub-key-cert: Path to the public key crt file used for capsule signing
+payload: Path to the capsule payload file
+capsule: Path to the output capsule file that is generated
+hardware-instance: Hardware Instance value
+monotonic-count: Monotonic count value
+capsule-type: Specifies capsule type. normal(default), accept or revert
+oemflags: 16bit Oemflags value to be used(populated in capsule header)
Enabling Capsule Authentication
***
--
2.34.1
[PATCH v3 06/11] binman: capsule: Add support for generating capsules
Add support in binman for generating capsules. The capsule parameters
can be specified either through a config file or through the capsule
binman entry.
Signed-off-by: Sughosh Ganu
---
Changes since V2:
* New patch which generates capsules through binman replacing the
earlier make target.
tools/binman/btool/mkeficapsule.py | 91 +
tools/binman/entries.rst | 27
tools/binman/etype/capsule.py | 102 +
3 files changed, 220 insertions(+)
create mode 100644 tools/binman/btool/mkeficapsule.py
create mode 100644 tools/binman/etype/capsule.py
diff --git a/tools/binman/btool/mkeficapsule.py
b/tools/binman/btool/mkeficapsule.py
new file mode 100644
index 00..9f656c12cf
--- /dev/null
+++ b/tools/binman/btool/mkeficapsule.py
@@ -0,0 +1,91 @@
+# SPDX-License-Identifier: GPL-2.0+
+# Copyright 2023 Linaro Limited
+#
+"""Bintool implementation for mkeficapsule tool
+
+mkeficapsule is a tool used for generating EFI capsules.
+
+The following are the command-line options to be provided
+to the tool
+Usage: mkeficapsule [options]
+Options:
+ -g, --guid guid for image blob type
+ -i, --index update image index
+ -I, --instanceupdate hardware instance
+ -p, --private-key private key file
+ -c, --certificate signer's certificate file
+ -m, --monotonic-count monotonic count
+ -d, --dump_sig dump signature (*.p7)
+ -A, --fw-accept firmware accept capsule, requires GUID, no image blob
+ -R, --fw-revert firmware revert capsule, takes no GUID, no image blob
+ -o, --capoemflag Capsule OEM Flag, an integer between 0x and 0x
+ -f, --cfg-file config file with capsule parameters
+ -h, --help print a help message
+
+"""
+
+from binman import bintool
+
+class Bintoolmkeficapsule(bintool.Bintool):
+"""Handles the 'mkeficapsule' tool
+
+This bintool is used for generating the EFI capsules. The
+capsule generation parameters can either be specified through
+command-line, or through a config file.
+
+"""
+def __init__(self, name):
+super().__init__(name, 'mkeficapsule tool for generating capsules')
+
+def capsule_cfg_file(self, cfg_file):
+
+args = [
+f'--cfg-file={cfg_file}'
+]
+self.run_cmd(*args)
+
+def cmdline_capsule(self, image_index, image_guid, hardware_instance,
+payload, output_fname):
+
+args = [
+f'--index={image_index}',
+f'--guid={image_guid}',
+f'--instance={hardware_instance}',
+payload,
+output_fname
+]
+self.run_cmd(*args)
+
+def cmdline_auth_capsule(self, image_index, image_guid, hardware_instance,
+ monotonic_count, priv_key, pub_key,
+ payload, output_fname):
+
+args = [
+f'--index={image_index}',
+f'--guid={image_guid}',
+f'--instance={hardware_instance}',
+f'--monotonic-count={monotonic_count}',
+f'--private-key={priv_key}',
+f'--certificate={pub_key}',
+payload,
+output_fname
+]
+self.run_cmd(*args)
+
+def fetch(self, method):
+"""Fetch handler for mkeficapsule
+
+This builds the tool from source
+
+Returns:
+tuple:
+str: Filename of fetched file to copy to a suitable directory
+str: Name of temp directory to remove, or None
+"""
+if method != bintool.FETCH_BUILD:
+return None
+result = self.build_from_git(
+'https://source.denx.de/u-boot/u-boot.git',
+'tools',
+'tools/mkeficapsule')
+return result
diff --git a/tools/binman/entries.rst b/tools/binman/entries.rst
index b71af801fd..9a263e8691 100644
--- a/tools/binman/entries.rst
+++ b/tools/binman/entries.rst
@@ -283,6 +283,33 @@ entry; similarly for SPL.
+.. _etype_capsule:
+
+Entry: capsule: Entry for generating EFI Capsule files
+--
+
+This is an entry for generating EFI capsules.
+
+The parameters needed for generation of the capsules can either be
+provided separately, or through a config file.
+
+Properties / Entry arguments:
+- cfg-file: Config file for providing capsule
+ parameters.
+- image-index: Unique number for identifying
+ corresponding payload image.
+- image-type-id: Image GUID which will be used
+ for identifying the image.
+- hardware-instance: Optional number for identifying
+
[PATCH v3 07/11] CI: capsule: Setup the files needed for capsule update testing
Support has being added through earlier commits to build capsules
and embed the public key needed for capsule authentication as part of
u-boot build.
>From the testing point-of-view, this means the input files needed for
generating the above have to be setup before invoking the build. Set
this up in the CI configuration files for testing the capsule update
feature.
Signed-off-by: Sughosh Ganu
---
Changes since V2:
* New patch setting up the capsule files needed for CI run
.azure-pipelines.yml | 21 +
.gitlab-ci.yml | 19 +++
2 files changed, 40 insertions(+)
diff --git a/.azure-pipelines.yml b/.azure-pipelines.yml
index 96b2ab4d75..75075bbd07 100644
--- a/.azure-pipelines.yml
+++ b/.azure-pipelines.yml
@@ -398,6 +398,17 @@ stages:
wget -O -
https://github.com/riscv/opensbi/releases/download/v0.9/opensbi-0.9-rv-bin.tar.xz
| tar -C /tmp -xJ;
export
OPENSBI=/tmp/opensbi-0.9-rv-bin/share/opensbi/lp64/generic/firmware/fw_dynamic.bin;
fi
+ mkdir -p /tmp/capsules/;
+ echo -n "u-boot:Old" >/tmp/capsules/u-boot.bin.old;
+ echo -n "u-boot:New" >/tmp/capsules/u-boot.bin.new;
+ echo -n "u-boot-env:Old" >/tmp/capsules/u-boot.env.old;
+ echo -n "u-boot-env:New" >/tmp/capsules/u-boot.env.new;
+ if [[ "${TEST_PY_BD}" == "sandbox" ]] || [[ "${TEST_PY_BD}" ==
"sandbox_flattree" ]]; then
+ openssl req -x509 -sha256 -newkey rsa:2048 -subj
/CN=TEST_SIGNER/ -keyout /tmp/capsules/SIGNER.key -out /tmp/capsules/SIGNER.crt
-nodes -days 365;
+ openssl req -x509 -sha256 -newkey rsa:2048 -subj
/CN=TEST_SIGNER/ -keyout /tmp/capsules/SIGNER2.key -out
/tmp/capsules/SIGNER2.crt -nodes -days 365;
+ cert-to-efi-sig-list /tmp/capsules/SIGNER.crt
/tmp/capsules/SIGNER.esl;
+ fi
+
# the below corresponds to .gitlab-ci.yml "script"
cd ${WORK_DIR}
export UBOOT_TRAVIS_BUILD_DIR=/tmp/${TEST_PY_BD};
@@ -582,6 +593,16 @@ stages:
cd ${WORK_DIR}
# make environment variables available as tests are running inside a
container
export BUILDMAN="${BUILDMAN}"
+ if [[ "${BUILDMAN}" == "sandbox" ]] || [[ "${BUILDMAN}" == "sandbox
x86" ]]; then
+ if [ ! -d "/tmp/capsules/" ]; then
+ mkdir -p /tmp/capsules/;
+ openssl req -x509 -sha256 -newkey rsa:2048 -subj
/CN=TEST_SIGNER/ -keyout /tmp/capsules/SIGNER.key -out /tmp/capsules/SIGNER.crt
-n
+odes -days 365;
+ openssl req -x509 -sha256 -newkey rsa:2048 -subj
/CN=TEST_SIGNER/ -keyout /tmp/capsules/SIGNER2.key -out
/tmp/capsules/SIGNER2.crt
+-nodes -days 365;
+ cert-to-efi-sig-list /tmp/capsules/SIGNER.crt
/tmp/capsules/SIGNER.esl;
+ fi
+ fi
git config --global --add safe.directory ${WORK_DIR}
EOF
cat << "EOF" >> build.sh
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index e6c6ab3586..577eebd678 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -37,6 +37,17 @@ stages:
export
OPENSBI=/tmp/opensbi-0.9-rv-bin/share/opensbi/lp64/generic/firmware/fw_dynamic.bin;
fi
+- mkdir -p /tmp/capsules/;
+- echo -n "u-boot:Old" >/tmp/capsules/u-boot.bin.old;
+- echo -n "u-boot:New" >/tmp/capsules/u-boot.bin.new;
+- echo -n "u-boot-env:Old" >/tmp/capsules/u-boot.env.old;
+- echo -n "u-boot-env:New" >/tmp/capsules/u-boot.env.new;
+- if [[ "${TEST_PY_BD}" == "sandbox" ]] || [[ "${TEST_PY_BD}" ==
"sandbox_flattree" ]]; then
+ openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/
-keyout /tmp/capsules/SIGNER.key -out /tmp/capsules/SIGNER.crt -nodes -days 365;
+ openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/
-keyout /tmp/capsules/SIGNER2.key -out /tmp/capsules/SIGNER2.crt -nodes -days
365;
+ cert-to-efi-sig-list /tmp/capsules/SIGNER.crt /tmp/capsules/SIGNER.esl;
+ fi
+
after_script:
- cp -v /tmp/${TEST_PY_BD}/*.{html,css} .
- rm -rf /tmp/uboot-test-hooks /tmp/venv
@@ -131,6 +142,14 @@ build all other platforms:
stage: world build
script:
- ret=0;
+ if [ ! -d "/tmp/capsules/" ]; then
+mkdir -p /tmp/capsules/;
+openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/
-keyout /tmp/capsules/SIGNER.key -out /tmp/capsules/SIGNER.crt -nodes -days
+ 365;
+openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/
-keyout /tmp/capsules/SIGNER2.key -out /tmp/capsules/SIGNER2.crt -nodes -da
+ys 365;
+cert-to-efi-sig-list /tmp/capsules/SIGNER.crt /tmp/capsules/SIGNER.esl;
+ fi
git config --global --add safe.directory "${CI_PROJECT_DIR}";
./tools/buildman/buildman -o /tmp -PEWM -x arm,powerpc || ret=$?;
if [[ $ret -ne 0 ]]; then
--
2.34.1
[PATCH v3 08/11] test: py: Setup capsule files for testing
Support has being added through earlier commits to build capsules and
embed the public key needed for capsule authentication as part of
u-boot build.
>From the testing point-of-view, this means the input files needed for
the above have to be setup before invoking the build. Set this up in
the pytest configuration file for testing the capsule update feature.
Signed-off-by: Sughosh Ganu
---
Changes since V2:
* New patch for setting up the capsule files in the pytest setup
before initiation of u-boot build.
test/py/conftest.py | 87 +
1 file changed, 87 insertions(+)
diff --git a/test/py/conftest.py b/test/py/conftest.py
index fc9dd3a83f..661ed74fae 100644
--- a/test/py/conftest.py
+++ b/test/py/conftest.py
@@ -80,6 +80,89 @@ def pytest_addoption(parser):
help='Run sandbox under gdbserver. The argument is the channel '+
'over which gdbserver should communicate, e.g. localhost:1234')
+def setup_capsule_build(source_dir, build_dir, board_type, log):
+"""Setup the platform's build for testing capsule updates
+
+This generates the payload/input files needed for testing the
+capsule update functionality, along with the keys for signing
+the capsules. An EFI Signature List(ESL) file, which houses the
+public key for capsule authentication is generated as
+well.
+
+The ESL file is subsequently embedded into the platform's
+dtb during the u-boot build, to be used for capsule
+authentication.
+
+Two sets of keys are generated, namely SIGNER and SIGNER2.
+The SIGNER2 key pair is used as a malicious key for testing the
+the capsule authentication functionality.
+
+All the generated files are placed under the /tmp/capsules/
+directory.
+
+Args:
+soruce_dir (str): Directory containing source code
+build_dir (str): Directory to build in
+board_type (str): board_type parameter (e.g. 'sandbox')
+log (Logfile): Log file to use
+
+Returns:
+Nothing.
+"""
+def run_command(name, cmd, source_dir):
+with log.section(name):
+if isinstance(cmd, str):
+cmd = cmd.split()
+runner = log.get_runner(name, None)
+runner.run(cmd, cwd=source_dir)
+runner.close()
+log.status_pass('OK')
+
+def gen_capsule_payloads(capsule_dir):
+fname = '%su-boot.bin.old' % capsule_dir
+with open(fname, 'w') as fd:
+fd.write('u-boot:Old')
+
+fname = '%su-boot.bin.new' % capsule_dir
+with open(fname, 'w') as fd:
+fd.write('u-boot:New')
+
+fname = '%su-boot.env.old' % capsule_dir
+with open(fname, 'w') as fd:
+fd.write('u-boot-env:Old')
+
+fname = '%su-boot.env.new' % capsule_dir
+with open(fname, 'w') as fd:
+fd.write('u-boot-env:New')
+
+capsule_sig_dir = '/tmp/capsules/'
+sig_name = 'SIGNER'
+mkdir_p(capsule_sig_dir)
+name = 'openssl'
+cmd = ( 'openssl req -x509 -sha256 -newkey rsa:2048 '
+'-subj /CN=TEST_SIGNER/ -keyout %s%s.key '
+'-out %s%s.crt -nodes -days 365'
+% (capsule_sig_dir, sig_name, capsule_sig_dir, sig_name)
+ )
+run_command(name, cmd, source_dir)
+
+name = 'cert-to-efi-sig-list'
+cmd = ( 'cert-to-efi-sig-list %s%s.crt %s%s.esl'
+% (capsule_sig_dir, sig_name, capsule_sig_dir, sig_name)
+ )
+run_command(name, cmd, source_dir)
+
+sig_name = 'SIGNER2'
+name = 'openssl'
+cmd = ( 'openssl req -x509 -sha256 -newkey rsa:2048 '
+'-subj /CN=TEST_SIGNER/ -keyout %s%s.key '
+'-out %s%s.crt -nodes -days 365'
+% (capsule_sig_dir, sig_name, capsule_sig_dir, sig_name)
+ )
+run_command(name, cmd, source_dir)
+
+gen_capsule_payloads(capsule_sig_dir)
+
def run_build(config, source_dir, build_dir, board_type, log):
"""run_build: Build U-Boot
@@ -90,6 +173,10 @@ def run_build(config, source_dir, build_dir, board_type,
log):
board_type (str): board_type parameter (e.g. 'sandbox')
log (Logfile): Log file to use
"""
+capsule_boards = ( 'sandbox', 'sandbox64', 'sandbox_flattree' )
+if board_type in capsule_boards:
+setup_capsule_build(source_dir, build_dir, board_type, log)
+
if config.getoption('buildman'):
if build_dir != source_dir:
dest_args = ['-o', build_dir, '-w']
--
2.34.1
[PATCH v3 09/11] test: capsule: Remove public key embed logic from capsule update test
The embedding of the public key EFI Signature List(ESL) file into the
platform's DTB is now done at the time of u-boot build. Remove this
logic from the capsule update test' configuration.
Include the public key for the sandbox and sandbox_flattree variant
as part of the build.
Signed-off-by: Sughosh Ganu
---
Changes since V2:
* New patch for removing the capsule key and ESL generation logic from
the capsule test config file.
configs/sandbox_defconfig| 1 +
configs/sandbox_flattree_defconfig | 1 +
test/py/tests/test_efi_capsule/conftest.py | 30 +++-
test/py/tests/test_efi_capsule/signature.dts | 10 ---
4 files changed, 6 insertions(+), 36 deletions(-)
delete mode 100644 test/py/tests/test_efi_capsule/signature.dts
diff --git a/configs/sandbox_defconfig b/configs/sandbox_defconfig
index 1ec44d5b33..d8a2386bb0 100644
--- a/configs/sandbox_defconfig
+++ b/configs/sandbox_defconfig
@@ -339,6 +339,7 @@ CONFIG_EFI_RUNTIME_UPDATE_CAPSULE=y
CONFIG_EFI_CAPSULE_ON_DISK=y
CONFIG_EFI_CAPSULE_FIRMWARE_RAW=y
CONFIG_EFI_CAPSULE_AUTHENTICATE=y
+CONFIG_EFI_CAPSULE_ESL_FILE="/tmp/capsules/SIGNER.esl"
CONFIG_EFI_SECURE_BOOT=y
CONFIG_TEST_FDTDEC=y
CONFIG_UNIT_TEST=y
diff --git a/configs/sandbox_flattree_defconfig
b/configs/sandbox_flattree_defconfig
index e7657d40dc..8d60744771 100644
--- a/configs/sandbox_flattree_defconfig
+++ b/configs/sandbox_flattree_defconfig
@@ -226,6 +226,7 @@ CONFIG_EFI_RUNTIME_UPDATE_CAPSULE=y
CONFIG_EFI_CAPSULE_ON_DISK=y
CONFIG_EFI_CAPSULE_FIRMWARE_FIT=y
CONFIG_EFI_CAPSULE_AUTHENTICATE=y
+CONFIG_EFI_CAPSULE_ESL_FILE="/tmp/capsules/SIGNER.esl"
CONFIG_UNIT_TEST=y
CONFIG_UT_TIME=y
CONFIG_UT_DM=y
diff --git a/test/py/tests/test_efi_capsule/conftest.py
b/test/py/tests/test_efi_capsule/conftest.py
index a337e62936..9b0f7e635d 100644
--- a/test/py/tests/test_efi_capsule/conftest.py
+++ b/test/py/tests/test_efi_capsule/conftest.py
@@ -25,42 +25,20 @@ def efi_capsule_data(request, u_boot_config):
image_path = u_boot_config.persistent_data_dir + '/test_efi_capsule.img'
try:
+capsules_path_dir = '/tmp/capsules/'
# Create a target device
check_call('dd if=/dev/zero of=./spi.bin bs=1MiB count=16', shell=True)
check_call('rm -rf %s' % mnt_point, shell=True)
check_call('mkdir -p %s' % data_dir, shell=True)
check_call('mkdir -p %s' % install_dir, shell=True)
+check_call('cp %s/* %s ' % (capsules_path_dir, data_dir), shell=True)
capsule_auth_enabled = u_boot_config.buildconfig.get(
'config_efi_capsule_authenticate')
if capsule_auth_enabled:
-# Create private key (SIGNER.key) and certificate (SIGNER.crt)
-check_call('cd %s; '
- 'openssl req -x509 -sha256 -newkey rsa:2048 '
-'-subj /CN=TEST_SIGNER/ -keyout SIGNER.key '
-'-out SIGNER.crt -nodes -days 365'
- % data_dir, shell=True)
-check_call('cd %s; %scert-to-efi-sig-list SIGNER.crt SIGNER.esl'
- % (data_dir, EFITOOLS_PATH), shell=True)
-
-# Update dtb adding capsule certificate
-check_call('cd %s; '
- 'cp %s/test/py/tests/test_efi_capsule/signature.dts .'
- % (data_dir, u_boot_config.source_dir), shell=True)
-check_call('cd %s; '
- 'dtc -@ -I dts -O dtb -o signature.dtbo signature.dts; '
- 'fdtoverlay -i %s/arch/sandbox/dts/test.dtb '
-'-o test_sig.dtb signature.dtbo'
- % (data_dir, u_boot_config.build_dir), shell=True)
-
-# Create *malicious* private key (SIGNER2.key) and certificate
-# (SIGNER2.crt)
-check_call('cd %s; '
- 'openssl req -x509 -sha256 -newkey rsa:2048 '
-'-subj /CN=TEST_SIGNER/ -keyout SIGNER2.key '
-'-out SIGNER2.crt -nodes -days 365'
- % data_dir, shell=True)
+check_call('cp %s/arch/sandbox/dts/test.dtb %s/test_sig.dtb' %
+ (u_boot_config.build_dir, data_dir), shell=True)
# Create capsule files
# two regions: one for u-boot.bin and the other for u-boot.env
diff --git a/test/py/tests/test_efi_capsule/signature.dts
b/test/py/tests/test_efi_capsule/signature.dts
deleted file mode 100644
index 078cfc76c9..00
--- a/test/py/tests/test_efi_capsule/signature.dts
+++ /dev/null
@@ -1,10 +0,0 @@
-// SPDX-License-Identifier: GPL-2.0+
-
-/dts-v1/;
-/plugin/;
-
-&{/} {
- signature {
- capsule-key = /incbin/("SIGNER.esl");
- };
-};
--
2.34.1
[PATCH v3 10/11] sandbox: capsule: Add a config file for generating capsules
Support has been added to the mkeficapsule tool to generate capsules
by parsing the capsule parameters through a config file. Add a config
file for generating capsules. These capsules will be used for testing
the capsule update feature on sandbox platform.
Enable generation of capsules through the config file on the sandbox
variant.
Signed-off-by: Sughosh Ganu
---
Changes since V2:
* New patch to add the capsule generation config file for sandbox.
.azure-pipelines.yml | 1 +
.gitlab-ci.yml| 1 +
configs/sandbox_defconfig | 2 +
test/py/conftest.py | 5 ++
.../test_efi_capsule/sandbox_capsule_cfg.txt | 75 +++
5 files changed, 84 insertions(+)
create mode 100644 test/py/tests/test_efi_capsule/sandbox_capsule_cfg.txt
diff --git a/.azure-pipelines.yml b/.azure-pipelines.yml
index 75075bbd07..cc196bf98c 100644
--- a/.azure-pipelines.yml
+++ b/.azure-pipelines.yml
@@ -403,6 +403,7 @@ stages:
echo -n "u-boot:New" >/tmp/capsules/u-boot.bin.new;
echo -n "u-boot-env:Old" >/tmp/capsules/u-boot.env.old;
echo -n "u-boot-env:New" >/tmp/capsules/u-boot.env.new;
+ cp test/py/tests/test_efi_capsule/sandbox_capsule_cfg.txt
/tmp/capsules/;
if [[ "${TEST_PY_BD}" == "sandbox" ]] || [[ "${TEST_PY_BD}" ==
"sandbox_flattree" ]]; then
openssl req -x509 -sha256 -newkey rsa:2048 -subj
/CN=TEST_SIGNER/ -keyout /tmp/capsules/SIGNER.key -out /tmp/capsules/SIGNER.crt
-nodes -days 365;
openssl req -x509 -sha256 -newkey rsa:2048 -subj
/CN=TEST_SIGNER/ -keyout /tmp/capsules/SIGNER2.key -out
/tmp/capsules/SIGNER2.crt -nodes -days 365;
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 577eebd678..614bf61962 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -42,6 +42,7 @@ stages:
- echo -n "u-boot:New" >/tmp/capsules/u-boot.bin.new;
- echo -n "u-boot-env:Old" >/tmp/capsules/u-boot.env.old;
- echo -n "u-boot-env:New" >/tmp/capsules/u-boot.env.new;
+- cp test/py/tests/test_efi_capsule/sandbox_capsule_cfg.txt /tmp/capsules/;
- if [[ "${TEST_PY_BD}" == "sandbox" ]] || [[ "${TEST_PY_BD}" ==
"sandbox_flattree" ]]; then
openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/
-keyout /tmp/capsules/SIGNER.key -out /tmp/capsules/SIGNER.crt -nodes -days 365;
openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/
-keyout /tmp/capsules/SIGNER2.key -out /tmp/capsules/SIGNER2.crt -nodes -days
365;
diff --git a/configs/sandbox_defconfig b/configs/sandbox_defconfig
index d8a2386bb0..0f4c59e1a8 100644
--- a/configs/sandbox_defconfig
+++ b/configs/sandbox_defconfig
@@ -340,6 +340,8 @@ CONFIG_EFI_CAPSULE_ON_DISK=y
CONFIG_EFI_CAPSULE_FIRMWARE_RAW=y
CONFIG_EFI_CAPSULE_AUTHENTICATE=y
CONFIG_EFI_CAPSULE_ESL_FILE="/tmp/capsules/SIGNER.esl"
+CONFIG_EFI_CAPSULE_CFG_FILE="/tmp/capsules/sandbox_capsule_cfg.txt"
+CONFIG_EFI_USE_CAPSULE_CFG_FILE=y
CONFIG_EFI_SECURE_BOOT=y
CONFIG_TEST_FDTDEC=y
CONFIG_UNIT_TEST=y
diff --git a/test/py/conftest.py b/test/py/conftest.py
index 661ed74fae..f32ab1a70c 100644
--- a/test/py/conftest.py
+++ b/test/py/conftest.py
@@ -161,6 +161,11 @@ def setup_capsule_build(source_dir, build_dir, board_type,
log):
)
run_command(name, cmd, source_dir)
+capsule_cfg_file = 'test/py/tests/test_efi_capsule/sandbox_capsule_cfg.txt'
+name = 'cp'
+cmd = ( ' cp %s %s' % (capsule_cfg_file, capsule_sig_dir))
+run_command(name, cmd, source_dir)
+
gen_capsule_payloads(capsule_sig_dir)
def run_build(config, source_dir, build_dir, board_type, log):
diff --git a/test/py/tests/test_efi_capsule/sandbox_capsule_cfg.txt
b/test/py/tests/test_efi_capsule/sandbox_capsule_cfg.txt
new file mode 100644
index 00..4e5065d538
--- /dev/null
+++ b/test/py/tests/test_efi_capsule/sandbox_capsule_cfg.txt
@@ -0,0 +1,75 @@
+{
+ image-index: 1
+ image-guid: 09D7CF52-0720-4710-91D1-08469B7FE9C8
+ payload: /tmp/capsules/u-boot.bin.new
+ capsule: /tmp/capsules/Test01
+}
+{
+ image-index: 2
+ image-guid: 5A7021F5-FEF2-48B4-AABA-832E777418C0
+ payload: /tmp/capsules/u-boot.env.new
+ capsule: /tmp/capsules/Test02
+}
+{
+ image-index: 1
+ image-guid: 058B7D83-50D5-4C47-A195-60D86AD341C4
+ payload: /tmp/capsules/u-boot.bin.new
+ capsule: /tmp/capsules/Test03
+
+}
+{
+ image-index: 1
+ image-guid: 3673B45D-6A7C-46F3-9E60-ADABB03F7937
+ payload: /tmp/capsules/uboot_bin_env.itb
+ capsule: /tmp/capsules/Test04
+
+}
+{
+ image-index: 1
+ image-guid: 058B7D83-50D5-4C47-A195-60D86AD341C4
+ payload: /tmp/capsules/uboot_bin_env.itb
+
[PATCH v3 11/11] sandbox: capsule: Generate capsule related files through binman
The EFI capsule files can now be generated as part of u-boot
build. This is done through binman. Add capsule entry nodes in the
u-boot.dtsi for the sandbox architecture for generating the
capsules. Remove the corresponding generation of capsules from the
capsule update conftest file.
The capsules are generated through the config file for the sandbox
variant, and through explicit parameters for the sandbox_flattree
variant.
Also generate the FIT image used for testing the capsule update
feature on the sandbox_flattree variant through binman. Remove the now
superfluous its file which was used for generating this FIT image.
Signed-off-by: Sughosh Ganu
---
Changes since V2:
* New patch for generating the capsules and capsule input files
through binman.
arch/sandbox/dts/u-boot.dtsi | 143 ++
test/py/tests/test_efi_capsule/conftest.py| 62
.../tests/test_efi_capsule/uboot_bin_env.its | 36 -
3 files changed, 143 insertions(+), 98 deletions(-)
delete mode 100644 test/py/tests/test_efi_capsule/uboot_bin_env.its
diff --git a/arch/sandbox/dts/u-boot.dtsi b/arch/sandbox/dts/u-boot.dtsi
index 60bd004937..292fb86a50 100644
--- a/arch/sandbox/dts/u-boot.dtsi
+++ b/arch/sandbox/dts/u-boot.dtsi
@@ -13,5 +13,148 @@
capsule-key = /incbin/(CONFIG_EFI_CAPSULE_ESL_FILE);
};
#endif
+
+ binman: binman {
+ multiple-images;
+ };
+};
+
+&binman {
+ itb {
+ filename = "/tmp/capsules/uboot_bin_env.itb";
+
+ fit {
+ description = "Automatic U-Boot environment update";
+ #address-cells = <2>;
+
+ images {
+ u-boot-bin {
+ description = "U-Boot binary on SPI
Flash";
+ data =
/incbin/("/tmp/capsules/u-boot.bin.new");
+ compression = "none";
+ type = "firmware";
+ arch = "sandbox";
+ load = <0>;
+ hash-1 {
+ algo = "sha1";
+ };
+ };
+ u-boot-env {
+ description = "U-Boot environment on
SPI Flash";
+ data =
/incbin/("/tmp/capsules/u-boot.env.new");
+ compression = "none";
+ type = "firmware";
+ arch = "sandbox";
+ load = <0>;
+ hash-1 {
+ algo = "sha1";
+ };
+ };
+ };
+ };
+ };
+
+#ifdef CONFIG_EFI_USE_CAPSULE_CFG_FILE
+ capsule1 {
+ capsule {
+ cfg-file = CONFIG_EFI_CAPSULE_CFG_FILE;
+ };
+ };
+#else
+ capsule2 {
+ capsule {
+ image-index = <0x1>;
+ image-type-id = "09D7CF52-0720-4710-91D1-08469B7FE9C8";
+ filename = "/tmp/capsules/u-boot.bin.new";
+ capsule = "/tmp/capsules/Test01";
+ };
+ };
+
+ capsule3 {
+ capsule {
+ image-index = <0x2>;
+ image-type-id = "5A7021F5-FEF2-48B4-AABA-832E777418C0";
+ filename = "/tmp/capsules/u-boot.env.new";
+ capsule = "/tmp/capsules/Test02";
+ };
+ };
+
+ capsule4 {
+ capsule {
+ image-index = <0x1>;
+ image-type-id = "058B7D83-50D5-4C47-A195-60D86AD341C4";
+ filename = "/tmp/capsules/u-boot.bin.new";
+ capsule = "/tmp/capsules/Test03";
+ };
+ };
+
+ capsule5 {
+ capsule {
+ image-index = <0x1>;
+ image-type-id = "3673B45D-6A7C-46F3-9E60-ADABB03F7937";
+ filename = "/tmp/capsules/uboot_bin_env.itb";
+ capsule = "/tmp/capsules/Test04";
+ };
+ };
+
+ capsule6 {
+ capsule {
+ image-index = <0x1>;
+
Re: [PATCH v3 02/11] capsule: authenticate: Add capsule public key in platform's dtb
hi Heinrich,
On Sun, 9 Jul 2023 at 19:22, Heinrich Schuchardt wrote:
>
>
>
> Am 9. Juli 2023 15:33:17 MESZ schrieb Sughosh Ganu :
> >The EFI capsule authentication logic in u-boot expects the public key
> >in the form of an EFI Signature List(ESL) to be provided as part of
> >the platform's dtb. Currently, the embedding of the ESL file into the
> >dtb needs to be done manually.
> >
> >Add a signature node in the u-boot dtsi file and include the public
> >key through the capsule-key property. This file is per architecture,
> >and is currently being added for sandbox and arm architectures. It
>
> The device-tree compiler can pick up files from /include/. If the dtsi file
> is not architecture specific, we should avoid code duplication.
The idea here was to have the dtsi file get included automatically
during build, and that happens only when the dtsi file, with a
specific name, is in the same directory as the dts being built. The
include directory is just a location where files would be searched for
when building, but the corresponding dtsi file will have to be
explicitly included in the dts being built. So this would mean every
board dts file needing to include the capsule dtsi file, instead of
automatic inclusion. I believe putting this dtsi file in the dts
directory of an architecture which is using capsule updates is easier
than including it in every board's dts.
The initial implementation was generating the signature node in a dtbo
on the fly, and including it into the corresponding dtb as it was
built. This is the approach that was taken in v1 [1], but Simon did
not like it, and Jonas suggested this approach [2].
-sughosh
[1] - https://lists.denx.de/pipermail/u-boot/2023-June/520121.html
[2] - https://lists.denx.de/pipermail/u-boot/2023-June/521195.html
>
> We should treat all EFI architectures the same.
>
> Best regards
>
> Heinrich
>
> >will have to be added for other architectures which need to enable
> >capsule authentication support.
> >
> >The path to the ESL file is specified through the
> >CONFIG_EFI_CAPSULE_ESL_FILE symbol.
> >
> >Signed-off-by: Sughosh Ganu
> >---
> >Changes since V2:
> >* Add the public key ESL file through the u-boot.dtsi.
> >* Add the dtsi files for sandbox and arm architectures.
> >* Add a check in the Makefile that the ESL file path is not empty.
> >
> > arch/arm/dts/u-boot.dtsi | 17 +
> > arch/sandbox/dts/u-boot.dtsi | 17 +
> > lib/efi_loader/Kconfig | 11 +++
> > lib/efi_loader/Makefile | 7 +++
> > 4 files changed, 52 insertions(+)
> > create mode 100644 arch/arm/dts/u-boot.dtsi
> > create mode 100644 arch/sandbox/dts/u-boot.dtsi
> >
> >diff --git a/arch/arm/dts/u-boot.dtsi b/arch/arm/dts/u-boot.dtsi
> >new file mode 100644
> >index 00..60bd004937
> >--- /dev/null
> >+++ b/arch/arm/dts/u-boot.dtsi
> >@@ -0,0 +1,17 @@
> >+// SPDX-License-Identifier: GPL-2.0+
> >+/*
> >+ * Devicetree file with miscellaneous nodes that will be included
> >+ * at build time into the DTB. Currently being used for including
> >+ * capsule related information.
> >+ *
> >+ */
> >+
> >+#ifdef CONFIG_EFI_HAVE_CAPSULE_SUPPORT
> >+/ {
> >+#ifdef CONFIG_EFI_CAPSULE_AUTHENTICATE
> >+ signature {
> >+ capsule-key = /incbin/(CONFIG_EFI_CAPSULE_ESL_FILE);
> >+ };
> >+#endif
> >+};
> >+#endif /* CONFIG_EFI_HAVE_CAPSULE_SUPPORT */
> >diff --git a/arch/sandbox/dts/u-boot.dtsi b/arch/sandbox/dts/u-boot.dtsi
> >new file mode 100644
> >index 00..60bd004937
> >--- /dev/null
> >+++ b/arch/sandbox/dts/u-boot.dtsi
> >@@ -0,0 +1,17 @@
> >+// SPDX-License-Identifier: GPL-2.0+
> >+/*
> >+ * Devicetree file with miscellaneous nodes that will be included
> >+ * at build time into the DTB. Currently being used for including
> >+ * capsule related information.
> >+ *
> >+ */
> >+
> >+#ifdef CONFIG_EFI_HAVE_CAPSULE_SUPPORT
> >+/ {
> >+#ifdef CONFIG_EFI_CAPSULE_AUTHENTICATE
> >+ signature {
> >+ capsule-key = /incbin/(CONFIG_EFI_CAPSULE_ESL_FILE);
> >+ };
> >+#endif
> >+};
> >+#endif /* CONFIG_EFI_HAVE_CAPSULE_SUPPORT */
> >diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig
> >index c5835e6ef6..1326a1d109 100644
> >--- a/lib/efi_loader/Kconfig
> >+++ b/lib/efi_loader/Kconfig
> >@@ -234,6 +234,17 @@ config EFI_CAPSULE_MAX
> > Select the max capsule index value used for capsule report
> > variables. This value is used to create Capsul
Re: [PATCH v3 06/11] binman: capsule: Add support for generating capsules
hi Simon,
On Tue, 11 Jul 2023 at 03:08, Simon Glass wrote:
>
> Hi Sughosh,
>
> On Sun, 9 Jul 2023 at 07:34, Sughosh Ganu wrote:
> >
> > Add support in binman for generating capsules. The capsule parameters
> > can be specified either through a config file or through the capsule
> > binman entry.
> >
> > Signed-off-by: Sughosh Ganu
> > ---
> > Changes since V2:
> > * New patch which generates capsules through binman replacing the
> > earlier make target.
> >
> > tools/binman/btool/mkeficapsule.py | 91 +
> > tools/binman/entries.rst | 27
> > tools/binman/etype/capsule.py | 102 +
> > 3 files changed, 220 insertions(+)
> > create mode 100644 tools/binman/btool/mkeficapsule.py
> > create mode 100644 tools/binman/etype/capsule.py
>
> Please do check test coverage (binman test -T). You are missing quite
> a lot in two two files you have added.
I was aware of adding tests in binman, but since the capsules
generated through binman are getting tested in the capsule update
functionality, I thought this would be superfluous. If this is
mandatory, I will add the tests. Will also address the rest of your
comments for this patch.
-sughosh
>
> >
> > diff --git a/tools/binman/btool/mkeficapsule.py
> > b/tools/binman/btool/mkeficapsule.py
> > new file mode 100644
> > index 00..9f656c12cf
> > --- /dev/null
> > +++ b/tools/binman/btool/mkeficapsule.py
> > @@ -0,0 +1,91 @@
> > +# SPDX-License-Identifier: GPL-2.0+
> > +# Copyright 2023 Linaro Limited
> > +#
> > +"""Bintool implementation for mkeficapsule tool
> > +
> > +mkeficapsule is a tool used for generating EFI capsules.
> > +
> > +The following are the command-line options to be provided
> > +to the tool
> > +Usage: mkeficapsule [options]
> > +Options:
> > + -g, --guid guid for image blob type
> > + -i, --index update image index
> > + -I, --instanceupdate hardware instance
> > + -p, --private-key private key file
> > + -c, --certificate signer's certificate file
> > + -m, --monotonic-count monotonic count
> > + -d, --dump_sig dump signature (*.p7)
> > + -A, --fw-accept firmware accept capsule, requires GUID, no image
> > blob
> > + -R, --fw-revert firmware revert capsule, takes no GUID, no image
> > blob
> > + -o, --capoemflag Capsule OEM Flag, an integer between 0x and
> > 0x
> > + -f, --cfg-file config file with capsule parameters
> > + -h, --help print a help message
> > +
> > +"""
> > +
> > +from binman import bintool
> > +
> > +class Bintoolmkeficapsule(bintool.Bintool):
> > +"""Handles the 'mkeficapsule' tool
> > +
> > +This bintool is used for generating the EFI capsules. The
> > +capsule generation parameters can either be specified through
> > +command-line, or through a config file.
> > +
> > +"""
> > +def __init__(self, name):
> > +super().__init__(name, 'mkeficapsule tool for generating capsules')
> > +
> > +def capsule_cfg_file(self, cfg_file):
>
> """Function comment
>
> Args:
>cfg_file (str): ...
> """
>
> Please fix throughout
>
> > +
> > +args = [
> > +f'--cfg-file={cfg_file}'
> > +]
> > +self.run_cmd(*args)
> > +
> > +def cmdline_capsule(self, image_index, image_guid, hardware_instance,
> > +payload, output_fname):
> > +
> > +args = [
> > +f'--index={image_index}',
> > +f'--guid={image_guid}',
> > +f'--instance={hardware_instance}',
> > +payload,
> > +output_fname
> > +]
> > +self.run_cmd(*args)
> > +
> > +def cmdline_auth_capsule(self, image_index, image_guid,
> > hardware_instance,
> > + monotonic_count, priv_key, pub_key,
> > + payload, output_fname):
> > +
> > +args = [
> > +f'--index={image_index}',
> > +f'--guid={image_guid}',
> > +f'--instance={hardware_instance}',
> > +f'--monotonic-count={mon
Re: [PATCH v3 10/11] sandbox: capsule: Add a config file for generating capsules
hi Simon,
On Tue, 11 Jul 2023 at 03:08, Simon Glass wrote:
>
> Hi Sughosh,
>
> On Sun, 9 Jul 2023 at 07:34, Sughosh Ganu wrote:
> >
> > Support has been added to the mkeficapsule tool to generate capsules
> > by parsing the capsule parameters through a config file. Add a config
> > file for generating capsules. These capsules will be used for testing
> > the capsule update feature on sandbox platform.
> >
> > Enable generation of capsules through the config file on the sandbox
> > variant.
> >
> > Signed-off-by: Sughosh Ganu
> > ---
> > Changes since V2:
> > * New patch to add the capsule generation config file for sandbox.
> >
> > .azure-pipelines.yml | 1 +
> > .gitlab-ci.yml| 1 +
> > configs/sandbox_defconfig | 2 +
> > test/py/conftest.py | 5 ++
> > .../test_efi_capsule/sandbox_capsule_cfg.txt | 75 +++
> > 5 files changed, 84 insertions(+)
> > create mode 100644 test/py/tests/test_efi_capsule/sandbox_capsule_cfg.txt
> >
> > diff --git a/.azure-pipelines.yml b/.azure-pipelines.yml
> > index 75075bbd07..cc196bf98c 100644
> > --- a/.azure-pipelines.yml
> > +++ b/.azure-pipelines.yml
> > @@ -403,6 +403,7 @@ stages:
> >echo -n "u-boot:New" >/tmp/capsules/u-boot.bin.new;
> >echo -n "u-boot-env:Old" >/tmp/capsules/u-boot.env.old;
> >echo -n "u-boot-env:New" >/tmp/capsules/u-boot.env.new;
> > + cp test/py/tests/test_efi_capsule/sandbox_capsule_cfg.txt
> > /tmp/capsules/;
> >if [[ "${TEST_PY_BD}" == "sandbox" ]] || [[ "${TEST_PY_BD}" ==
> > "sandbox_flattree" ]]; then
> >openssl req -x509 -sha256 -newkey rsa:2048 -subj
> > /CN=TEST_SIGNER/ -keyout /tmp/capsules/SIGNER.key -out
> > /tmp/capsules/SIGNER.crt -nodes -days 365;
> >openssl req -x509 -sha256 -newkey rsa:2048 -subj
> > /CN=TEST_SIGNER/ -keyout /tmp/capsules/SIGNER2.key -out
> > /tmp/capsules/SIGNER2.crt -nodes -days 365;
> > diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
> > index 577eebd678..614bf61962 100644
> > --- a/.gitlab-ci.yml
> > +++ b/.gitlab-ci.yml
> > @@ -42,6 +42,7 @@ stages:
> > - echo -n "u-boot:New" >/tmp/capsules/u-boot.bin.new;
> > - echo -n "u-boot-env:Old" >/tmp/capsules/u-boot.env.old;
> > - echo -n "u-boot-env:New" >/tmp/capsules/u-boot.env.new;
> > +- cp test/py/tests/test_efi_capsule/sandbox_capsule_cfg.txt
> > /tmp/capsules/;
> > - if [[ "${TEST_PY_BD}" == "sandbox" ]] || [[ "${TEST_PY_BD}" ==
> > "sandbox_flattree" ]]; then
> > openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/
> > -keyout /tmp/capsules/SIGNER.key -out /tmp/capsules/SIGNER.crt -nodes -days
> > 365;
> > openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/
> > -keyout /tmp/capsules/SIGNER2.key -out /tmp/capsules/SIGNER2.crt -nodes
> > -days 365;
> > diff --git a/configs/sandbox_defconfig b/configs/sandbox_defconfig
> > index d8a2386bb0..0f4c59e1a8 100644
> > --- a/configs/sandbox_defconfig
> > +++ b/configs/sandbox_defconfig
> > @@ -340,6 +340,8 @@ CONFIG_EFI_CAPSULE_ON_DISK=y
> > CONFIG_EFI_CAPSULE_FIRMWARE_RAW=y
> > CONFIG_EFI_CAPSULE_AUTHENTICATE=y
> > CONFIG_EFI_CAPSULE_ESL_FILE="/tmp/capsules/SIGNER.esl"
> > +CONFIG_EFI_CAPSULE_CFG_FILE="/tmp/capsules/sandbox_capsule_cfg.txt"
> > +CONFIG_EFI_USE_CAPSULE_CFG_FILE=y
> > CONFIG_EFI_SECURE_BOOT=y
> > CONFIG_TEST_FDTDEC=y
> > CONFIG_UNIT_TEST=y
> > diff --git a/test/py/conftest.py b/test/py/conftest.py
> > index 661ed74fae..f32ab1a70c 100644
> > --- a/test/py/conftest.py
> > +++ b/test/py/conftest.py
> > @@ -161,6 +161,11 @@ def setup_capsule_build(source_dir, build_dir,
> > board_type, log):
> > )
> > run_command(name, cmd, source_dir)
> >
> > +capsule_cfg_file =
> > 'test/py/tests/test_efi_capsule/sandbox_capsule_cfg.txt'
> > +name = 'cp'
> > +cmd = ( ' cp %s %s' % (capsule_cfg_file, capsule_sig_dir))
>
> I forgot to mention this before, but you should use f strings:
>
> cmd = f'cp {capsule_cfg_file} ...'
Will do.
>
> Please check the other files too, as it is a pain to clean it up
> later. You can run 'pylint' on your sourc
Re: [PATCH v3 11/11] sandbox: capsule: Generate capsule related files through binman
hi Simon,
On Tue, 11 Jul 2023 at 03:09, Simon Glass wrote:
>
> Hi,
>
> On Sun, 9 Jul 2023 at 07:34, Sughosh Ganu wrote:
> >
> > The EFI capsule files can now be generated as part of u-boot
> > build. This is done through binman. Add capsule entry nodes in the
> > u-boot.dtsi for the sandbox architecture for generating the
> > capsules. Remove the corresponding generation of capsules from the
> > capsule update conftest file.
> >
> > The capsules are generated through the config file for the sandbox
> > variant, and through explicit parameters for the sandbox_flattree
> > variant.
> >
> > Also generate the FIT image used for testing the capsule update
> > feature on the sandbox_flattree variant through binman. Remove the now
> > superfluous its file which was used for generating this FIT image.
> >
> > Signed-off-by: Sughosh Ganu
> > ---
> > Changes since V2:
> > * New patch for generating the capsules and capsule input files
> > through binman.
> >
> > arch/sandbox/dts/u-boot.dtsi | 143 ++
> > test/py/tests/test_efi_capsule/conftest.py| 62
> > .../tests/test_efi_capsule/uboot_bin_env.its | 36 -
> > 3 files changed, 143 insertions(+), 98 deletions(-)
> > delete mode 100644 test/py/tests/test_efi_capsule/uboot_bin_env.its
> >
> > diff --git a/arch/sandbox/dts/u-boot.dtsi b/arch/sandbox/dts/u-boot.dtsi
> > index 60bd004937..292fb86a50 100644
> > --- a/arch/sandbox/dts/u-boot.dtsi
> > +++ b/arch/sandbox/dts/u-boot.dtsi
> > @@ -13,5 +13,148 @@
> > capsule-key = /incbin/(CONFIG_EFI_CAPSULE_ESL_FILE);
> > };
> > #endif
> > +
> > + binman: binman {
> > + multiple-images;
> > + };
> > +};
> > +
> > +&binman {
> > + itb {
> > + filename = "/tmp/capsules/uboot_bin_env.itb";
>
> You can't really do this, since that dir may not exist. Can you drop the path?
This directory does exist. I am adding logic to add the directory in
patches 7 and 8 to ensure that the /tmp/capsules/ directory exists for
the capsule updates testing, both for CI runs as well as local pytest
test runs.
>
> > +
> > + fit {
> > + description = "Automatic U-Boot environment update";
> > + #address-cells = <2>;
> > +
> > + images {
> > + u-boot-bin {
> > + description = "U-Boot binary on SPI
> > Flash";
> > + data =
> > /incbin/("/tmp/capsules/u-boot.bin.new");
>
> See FIT docs for how to include data in a FIT with binman.
>
> Basically you add it below *
Okay. WIll change this.
>
> > + compression = "none";
> > + type = "firmware";
> > + arch = "sandbox";
> > + load = <0>;
> > + hash-1 {
> > + algo = "sha1";
> > + };
>
> *
>blob {
> filename = "u-boot.bin.new";
>}
>
> Please fix throughout.
>
> > + };
> > + u-boot-env {
> > + description = "U-Boot environment
> > on SPI Flash";
> > + data =
> > /incbin/("/tmp/capsules/u-boot.env.new");
> > + compression = "none";
> > + type = "firmware";
> > + arch = "sandbox";
> > + load = <0>;
> > + hash-1 {
> > + algo = "sha1";
> > + };
> > + };
> > + };
> > + };
> > + };
> > +
> > +#ifdef CONFIG_EFI_USE_CAPSULE_CFG_FILE
> > + capsule1 {
> > + capsule {
> > + cfg-file = CONFIG_EFI_CAPSULE_CFG_FILE;
> > + };
> > + };
> > +#el
Re: [PATCH v2 5/8] tools: mkeficapsule: Add support for parsing capsule params from config file
On Fri, 14 Jul 2023 at 16:14, Michal Simek wrote: > > > > On 6/24/23 15:41, Sughosh Ganu wrote: > > Add support for specifying the parameters needed for capsule > > generation through a config file, instead of passing them through > > command-line. Parameters for more than a single capsule file can be > > specified, resulting in generation of multiple capsules through a > > single invocation of the command. > > > > This path is to be used for generating capsules through a make target, > > with the parameters being parsed from the config file. > > > > Can you please also add support for adding comment to config file? > Pretty much just ignore lines which starts with /* or so. Comments are currently supported with the '#' character, so that lines starting with # are considered as comments. -sughosh
[PATCH v4 00/12] Integrate EFI capsule tasks into u-boot's build flow
This patchset aims to bring two capsule related tasks under the u-boot build flow. One is the embedding of the public key into the platform's dtb. The public key is in the form of an EFI Signature List(ESL) file and is used for capsule authentication. This is being achieved by adding the signature node containing the capsule public key in the architecture's u-boot.dtsi file. Currently, the u-boot.dtsi file has been added for the sandbox and arm architectures. The path to the ESL file is being provided through a Kconfig symbol(CONFIG_EFI_CAPSULE_ESL_FILE). Changes have also been made to the test flow so that the keys used for signing the capsule, and the ESL file, are generated prior to invoking the u-boot's build, which enables embedding the ESL file into the dtb as part of the u-boot build. The other task is related to generation of capsules. Support is being added to generate capsules by specifying the capsule parameters in a config file. Calling the mkeficapsule tool then results in generation of the corresponding capsule files. The capsules can be generated as part of u-boot build, and this is being achieved through binman, by adding a capsule entry type. The capsules can be generated either by specifying the capsule parameters in a config file, or through specifying them as properties under the capsule entry node. If using the config file, the path to the config file is to be specified through a Kconfig symbol(CONFIG_EFI_CAPSULE_CFG_FILE). Changes have also been made to the efi capsule update feature testing setup on the sandbox variants. Currently, the capsule files and the public key ESL file are generated after u-boot has been built. This logic has been changed so that the capsule input files along with the keys needed for capsule signing and authentication are generated prior to initiation of the u-boot build. The placement of all the files needed for generation of capsules, along with the generated capsule files is under the /tmp/capsules/ directory. Currently, the capsule update feature is tested on the sandbox and sandbox_flattree variants in CI. The capsule generation through config file is enabled for the sandbox variant, with the sandbox_flattree variant generating capsules through the command-line parameters. The document has been updated to reflect the above changes. Changes since V3: * New patch to support passing multiple commands to the build_from_git * Put the two ifdef statements together in arm architecture's u-boot.dtsi file. * Remove the extra blank line in the Kconfig. function to build the tool. * Add support for firmware versioning, needed after rebasing on current master. * Add test cases for covering the various capsule generation scenarios. * Add function comments in the mkeficapsule bintool. * Fix the fetch method of the mkeficapsule bintool to enable building the tool. * Add more details about the capsule parameters in the documentation as well as the code. * Fix order of module imports, and addition of blank lines in the capsule.py file. * Use SetContents in the ObtainContents method. * Move the paragraph on version support under a separate subsection. * Move the description on generating capsules through config file under the section to describe capsule generation. * Add a subsection highlighting generation of capsules through binman. * Remove whitespace in the command to generate capsule keys. * Use fstrings for format specifiers. * Rebase on top of current master to work with test configuration for version support in capsule updates. * Use fstrings for format specifiers. * Add entries for generating capsules with version parameter. * Use blob nodes instead of incbin for including the binaries in FIT image. * Enable generation of capsules with versioning support. Sughosh Ganu (12): binman: bintool: Build a tool from a list of commands nuvoton: npcm845-evb: Add a newline at the end of file capsule: authenticate: Add capsule public key in platform's dtb doc: capsule: Document the new mechanism to embed ESL file into dtb tools: mkeficapsule: Add support for parsing capsule params from config file binman: capsule: Add support for generating capsules doc: Add documentation to highlight capsule generation related updates CI: capsule: Setup the files needed for capsule update testing test: py: Setup capsule files for testing test: capsule: Remove public key embed logic from capsule update test sandbox: capsule: Add a config file for generating capsules sandbox: capsule: Generate capsule related files through binman .azure-pipelines.yml | 26 ++ .gitlab-ci.yml| 24 ++ arch/arm/dts/nuvoton-npcm845-evb.dts | 2 +- arch/arm/dts/u-boot.dtsi | 17 + arch/sandbox/dts/u-boot.dtsi | 282 ++ configs/sandbox_defconfig | 3 + configs/sandbox_flattree_d
[PATCH v4 01/12] binman: bintool: Build a tool from a list of commands
Add support to build a tool from source with a list of commands. This
is useful when a tool can be built with multiple commands instead of a
single command.
Signed-off-by: Sughosh Ganu
---
Changes since V3:
* New patch to support passing multiple commands to the build_from_git
function to build the tool.
tools/binman/bintool.py| 19 +++
tools/binman/btool/_testing.py | 3 ++-
tools/binman/btool/fiptool.py | 4 +++-
tools/binman/btool/futility.py | 4 +++-
4 files changed, 19 insertions(+), 11 deletions(-)
diff --git a/tools/binman/bintool.py b/tools/binman/bintool.py
index 81629683df..279bf2fec4 100644
--- a/tools/binman/bintool.py
+++ b/tools/binman/bintool.py
@@ -328,7 +328,7 @@ class Bintool:
return result.stdout
@classmethod
-def build_from_git(cls, git_repo, make_target, bintool_path, flags=None):
+def build_from_git(cls, git_repo, make_targets, bintool_path, flags=None):
"""Build a bintool from a git repo
This clones the repo in a temporary directory, builds it with 'make',
@@ -336,7 +336,8 @@ class Bintool:
Args:
git_repo (str): URL of git repo
-make_target (str): Target to pass to 'make' to build the tool
+make_targets (list of str): List of targets to pass to 'make' to
build
+the tool
bintool_path (str): Relative path of the tool in the repo, after
build is complete
flags (list of str): Flags or variables to pass to make, or None
@@ -350,12 +351,14 @@ class Bintool:
tmpdir = tempfile.mkdtemp(prefix='binmanf.')
print(f"- clone git repo '{git_repo}' to '{tmpdir}'")
tools.run('git', 'clone', '--depth', '1', git_repo, tmpdir)
-print(f"- build target '{make_target}'")
-cmd = ['make', '-C', tmpdir, '-j', f'{multiprocessing.cpu_count()}',
- make_target]
-if flags:
-cmd += flags
-tools.run(*cmd)
+for target in make_targets:
+print(f"- build target '{target}'")
+cmd = ['make', '-C', tmpdir, '-j',
f'{multiprocessing.cpu_count()}',
+ target]
+if flags:
+cmd += flags
+tools.run(*cmd)
+
fname = os.path.join(tmpdir, bintool_path)
if not os.path.exists(fname):
print(f"- File '{fname}' was not produced")
diff --git a/tools/binman/btool/_testing.py b/tools/binman/btool/_testing.py
index 4005e8a8a5..c0109c76bf 100644
--- a/tools/binman/btool/_testing.py
+++ b/tools/binman/btool/_testing.py
@@ -32,5 +32,6 @@ class Bintool_testing(bintool.Bintool):
return self.apt_install('package')
return self.fetch_from_drive('junk')
if method == bintool.FETCH_BUILD:
-return self.build_from_git('url', 'target', 'pathname')
+cmd = ['target']
+return self.build_from_git('url', cmd, 'pathname')
return None
diff --git a/tools/binman/btool/fiptool.py b/tools/binman/btool/fiptool.py
index c80f8275c4..b275fee43b 100644
--- a/tools/binman/btool/fiptool.py
+++ b/tools/binman/btool/fiptool.py
@@ -107,8 +107,10 @@ class Bintoolfiptool(bintool.Bintool):
"""
if method != bintool.FETCH_BUILD:
return None
+
+cmd = ['fiptool']
result = self.build_from_git(
'https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git',
-'fiptool',
+cmd,
'tools/fiptool/fiptool')
return result
diff --git a/tools/binman/btool/futility.py b/tools/binman/btool/futility.py
index 04c9aefe9b..4b22547368 100644
--- a/tools/binman/btool/futility.py
+++ b/tools/binman/btool/futility.py
@@ -168,9 +168,11 @@ class Bintoolfutility(bintool.Bintool):
#
# Unfortunately this requires logging in and obtaining a line for the
# .gitcookies file. So use a mirror instead.
+
+cmd = ['all']
result = self.build_from_git(
'https://github.com/sjg20/vboot_reference.git',
-'all',
+cmd,
'build/futility/futility',
flags=['USE_FLASHROM=0'])
return result
--
2.34.1
[PATCH v4 02/12] nuvoton: npcm845-evb: Add a newline at the end of file
Add a newline at the end of the dts, without which the build fails when including the u-boot.dtsi file. Signed-off-by: Sughosh Ganu Reviewed-by: Simon Glass --- Changes since V3: None arch/arm/dts/nuvoton-npcm845-evb.dts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/arm/dts/nuvoton-npcm845-evb.dts b/arch/arm/dts/nuvoton-npcm845-evb.dts index 3cab7807e3..a93666cb41 100644 --- a/arch/arm/dts/nuvoton-npcm845-evb.dts +++ b/arch/arm/dts/nuvoton-npcm845-evb.dts @@ -354,4 +354,4 @@ &r1en_pins &r1oen_pins >; -}; \ No newline at end of file +}; -- 2.34.1
[PATCH v4 03/12] capsule: authenticate: Add capsule public key in platform's dtb
The EFI capsule authentication logic in u-boot expects the public key
in the form of an EFI Signature List(ESL) to be provided as part of
the platform's dtb. Currently, the embedding of the ESL file into the
dtb needs to be done manually.
Add a signature node in the u-boot dtsi file and include the public
key through the capsule-key property. This file is per architecture,
and is currently being added for sandbox and arm architectures. It
will have to be added for other architectures which need to enable
capsule authentication support.
The path to the ESL file is specified through the
CONFIG_EFI_CAPSULE_ESL_FILE symbol.
Signed-off-by: Sughosh Ganu
---
Changes since V3:
* Put the two ifdef statements together in arm architecture's
u-boot.dtsi file.
* Remove the extra blank line in the Kconfig.
arch/arm/dts/u-boot.dtsi | 17 +
arch/sandbox/dts/u-boot.dtsi | 17 +
lib/efi_loader/Kconfig | 10 ++
lib/efi_loader/Makefile | 7 +++
4 files changed, 51 insertions(+)
create mode 100644 arch/arm/dts/u-boot.dtsi
create mode 100644 arch/sandbox/dts/u-boot.dtsi
diff --git a/arch/arm/dts/u-boot.dtsi b/arch/arm/dts/u-boot.dtsi
new file mode 100644
index 00..2a9359c43c
--- /dev/null
+++ b/arch/arm/dts/u-boot.dtsi
@@ -0,0 +1,17 @@
+// SPDX-License-Identifier: GPL-2.0+
+/*
+ * Devicetree file with miscellaneous nodes that will be included
+ * at build time into the DTB. Currently being used for including
+ * capsule related information.
+ *
+ */
+
+#ifdef CONFIG_EFI_HAVE_CAPSULE_SUPPORT
+#ifdef CONFIG_EFI_CAPSULE_AUTHENTICATE
+/ {
+ signature {
+ capsule-key = /incbin/(CONFIG_EFI_CAPSULE_ESL_FILE);
+ };
+};
+#endif /* CONFIG_EFI_CAPSULE_AUTHENTICATE */
+#endif /* CONFIG_EFI_HAVE_CAPSULE_SUPPORT */
diff --git a/arch/sandbox/dts/u-boot.dtsi b/arch/sandbox/dts/u-boot.dtsi
new file mode 100644
index 00..60bd004937
--- /dev/null
+++ b/arch/sandbox/dts/u-boot.dtsi
@@ -0,0 +1,17 @@
+// SPDX-License-Identifier: GPL-2.0+
+/*
+ * Devicetree file with miscellaneous nodes that will be included
+ * at build time into the DTB. Currently being used for including
+ * capsule related information.
+ *
+ */
+
+#ifdef CONFIG_EFI_HAVE_CAPSULE_SUPPORT
+/ {
+#ifdef CONFIG_EFI_CAPSULE_AUTHENTICATE
+ signature {
+ capsule-key = /incbin/(CONFIG_EFI_CAPSULE_ESL_FILE);
+ };
+#endif
+};
+#endif /* CONFIG_EFI_HAVE_CAPSULE_SUPPORT */
diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig
index a22e47616f..9abb9a4db3 100644
--- a/lib/efi_loader/Kconfig
+++ b/lib/efi_loader/Kconfig
@@ -235,6 +235,16 @@ config EFI_CAPSULE_MAX
Select the max capsule index value used for capsule report
variables. This value is used to create CapsuleMax variable.
+config EFI_CAPSULE_ESL_FILE
+ string "Path to the EFI Signature List File"
+ default ""
+ depends on EFI_CAPSULE_AUTHENTICATE
+ help
+ Provides the absolute path to the EFI Signature List
+ file which will be embedded in the platform's device
+ tree and used for capsule authentication at the time
+ of capsule update.
+
config EFI_DEVICE_PATH_TO_TEXT
bool "Device path to text protocol"
default y
diff --git a/lib/efi_loader/Makefile b/lib/efi_loader/Makefile
index 1a8c8d7cab..c52c9d27bd 100644
--- a/lib/efi_loader/Makefile
+++ b/lib/efi_loader/Makefile
@@ -89,3 +89,10 @@ obj-$(CONFIG_EFI_ECPT) += efi_conformance.o
EFI_VAR_SEED_FILE := $(subst $\",,$(CONFIG_EFI_VAR_SEED_FILE))
$(obj)/efi_var_seed.o: $(srctree)/$(EFI_VAR_SEED_FILE)
+
+ifeq ($(CONFIG_EFI_CAPSULE_AUTHENTICATE),y)
+EFI_CAPSULE_KEY_PATH := $(subst $\",,$(CONFIG_EFI_CAPSULE_ESL_FILE))
+ifeq ("$(wildcard $(EFI_CAPSULE_KEY_PATH))","")
+$(error .esl cerificate not found. Configure your CONFIG_EFI_CAPSULE_ESL_FILE)
+endif
+endif
--
2.34.1
[PATCH v4 04/12] doc: capsule: Document the new mechanism to embed ESL file into dtb
Update the document to specify how the EFI Signature List(ESL) file
can be embedded into the platform's dtb as part of the u-boot build.
Signed-off-by: Sughosh Ganu
Reviewed-by: Simon Glass
---
Changes since V3: None
doc/develop/uefi/uefi.rst | 22 +-
1 file changed, 9 insertions(+), 13 deletions(-)
diff --git a/doc/develop/uefi/uefi.rst b/doc/develop/uefi/uefi.rst
index 6626ceec52..3d07aa33b8 100644
--- a/doc/develop/uefi/uefi.rst
+++ b/doc/develop/uefi/uefi.rst
@@ -522,20 +522,16 @@ and used by the steps highlighted below.
...
}
-You can do step-4 manually with
+You can perform step-4 by defining the Kconfig symbol
+CONFIG_EFI_CAPSULE_ESL_FILE. Once this has been done, the signature
+node can be added to the u-boot.dtsi file. For reference, check the
+u-boot.dtsi file for the sandbox architecture. If this node has not
+been added to the architecture's u-boot.dtsi file, this needs to be
+done. The node has currently been added for the sandbox and arm
+architectures' in the u-boot.dtsi file. Once the u-boot.dtsi file has
+been added with the signature node, the esl file will automatically
+get embedded into the platform's dtb as part of u-boot build.
-.. code-block:: console
-
-$ dtc -@ -I dts -O dtb -o signature.dtbo signature.dts
-$ fdtoverlay -i orig.dtb -o new.dtb -v signature.dtbo
-
-where signature.dts looks like::
-
-&{/} {
-signature {
-capsule-key = /incbin/("CRT.esl");
-};
-};
Anti-rollback Protection
--
2.34.1
[PATCH v4 05/12] tools: mkeficapsule: Add support for parsing capsule params from config file
Add support for specifying the parameters needed for capsule
generation through a config file, instead of passing them through
command-line. Parameters for more than a single capsule file can be
specified, resulting in generation of multiple capsules through a
single invocation of the command.
This path is to be used for generating capsules through a make target,
with the parameters being parsed from the config file.
Signed-off-by: Sughosh Ganu
---
Changes since V3:
* Add support for firmware versioning, needed after rebasing on
current master.
tools/Kconfig | 16 ++
tools/Makefile | 1 +
tools/eficapsule.h | 115
tools/mkeficapsule.c | 87 +
tools/mkeficapsule_parse.c | 352 +
5 files changed, 540 insertions(+), 31 deletions(-)
create mode 100644 tools/mkeficapsule_parse.c
diff --git a/tools/Kconfig b/tools/Kconfig
index 6e23f44d55..88ea3567d0 100644
--- a/tools/Kconfig
+++ b/tools/Kconfig
@@ -98,6 +98,22 @@ config TOOLS_MKEFICAPSULE
optionally sign that file. If you want to enable UEFI capsule
update feature on your target, you certainly need this.
+config EFI_CAPSULE_CFG_FILE
+ string "Path to the EFI Capsule Config File"
+ default ""
+ help
+ Path to the EFI capsule config file which provides the
+ parameters needed to build capsule(s). Parameters can be
+ provided for multiple payloads resulting in corresponding
+ capsule images being generated.
+
+config EFI_USE_CAPSULE_CFG_FILE
+ bool "Use the config file for generating capsules"
+ help
+ Boolean option used to specify if the EFI capsules are to
+ be generated through parameters specified via the config
+ file or through command line.
+
menuconfig FSPI_CONF_HEADER
bool "FlexSPI Header Configuration"
help
diff --git a/tools/Makefile b/tools/Makefile
index 3d0c4b0dd6..eb129e3bb2 100644
--- a/tools/Makefile
+++ b/tools/Makefile
@@ -250,6 +250,7 @@ HOSTLDLIBS_mkeficapsule += \
HOSTLDLIBS_mkeficapsule += \
$(shell pkg-config --libs uuid 2> /dev/null || echo "-luuid")
hostprogs-$(CONFIG_TOOLS_MKEFICAPSULE) += mkeficapsule
+mkeficapsule-objs := mkeficapsule.o mkeficapsule_parse.o
mkfwumdata-objs := mkfwumdata.o generated/lib/crc32.o
HOSTLDLIBS_mkfwumdata += -luuid
diff --git a/tools/eficapsule.h b/tools/eficapsule.h
index 2099a2e9b8..d455ac1d6f 100644
--- a/tools/eficapsule.h
+++ b/tools/eficapsule.h
@@ -52,6 +52,12 @@ typedef struct {
/* flags */
#define CAPSULE_FLAGS_PERSIST_ACROSS_RESET 0x0001
+enum capsule_type {
+ CAPSULE_NORMAL_BLOB = 0,
+ CAPSULE_ACCEPT,
+ CAPSULE_REVERT,
+};
+
struct efi_capsule_header {
efi_guid_t capsule_guid;
uint32_t header_size;
@@ -113,6 +119,7 @@ struct efi_firmware_image_authentication {
struct win_certificate_uefi_guid auth_info;
} __packed;
+
/* fmp payload header */
#define SIGNATURE_16(A, B) ((A) | ((B) << 8))
#define SIGNATURE_32(A, B, C, D) \
@@ -143,4 +150,112 @@ struct fmp_payload_header_params {
uint32_t fw_version;
};
+/**
+ * struct efi_capsule_params - Capsule parameters
+ * @image_guid: Guid value of the payload input image
+ * @image_index: Image index value
+ * @hardware_instance: Hardware instance to be used for the image
+ * @fmp: FMP payload header used for storing firmware version
+ * @monotonic_count: Monotonic count value to be used for signed capsule
+ * @privkey_file: Path to private key used in capsule signing
+ * @cert_file: Path to public key certificate used in capsule signing
+ * @input_file: Path to payload input image
+ * @capsule_file: Path to the output capsule file
+ * @oemflags: Oemflags to be populated in the capsule header
+ * @capsule: Capsule Type, normal or accept or revert
+ */
+struct efi_capsule_params {
+ efi_guid_t *image_guid;
+ unsigned long image_index;
+ unsigned long hardware_instance;
+ struct fmp_payload_header_params fmp;
+ uint64_t monotonic_count;
+ char *privkey_file;
+ char *cert_file;
+ char *input_file;
+ char *capsule_file;
+ unsigned long oemflags;
+ enum capsule_type capsule;
+};
+
+/**
+ * capsule_with_cfg_file() - Generate capsule from config file
+ * @cfg_file: Path to the config file
+ *
+ * Parse the capsule parameters from the config file and use the
+ * parameters for generating one or more capsules.
+ *
+ * Return: None
+ *
+ */
+void capsule_with_cfg_file(const char *cfg_file);
+
+/**
+ * convert_uuid_to_guid() - convert UUID to GUID
+ * @buf: UUID binary
+ *
+ * UUID and GUID have the same data structure, but their binary
+ * formats are different due to the endianness. See lib/uuid.c.
+ * Since uuid_parse() can handle only UUID, this function must
+ * be called to get correct data for GUID when par
[PATCH v4 06/12] binman: capsule: Add support for generating capsules
Add support in binman for generating capsules. The capsule parameters
can be specified either through a config file or through the capsule
binman entry. Also add test cases in binman for capsule generation,
and enable this testing on the sandbox_spl variant.
Signed-off-by: Sughosh Ganu
---
Changes since V3:
* Add test cases for covering the various capsule generation
scenarios.
* Add function comments in the mkeficapsule bintool.
* Fix the fetch method of the mkeficapsule bintool to enable building
the tool.
* Add more details about the capsule parameters in the documentation
as well as the code.
* Fix order of module imports, and addition of blank lines in the
capsule.py file.
* Use SetContents in the ObtainContents method.
configs/sandbox_spl_defconfig | 1 +
tools/binman/btool/mkeficapsule.py| 158 ++
tools/binman/entries.rst | 37
tools/binman/etype/capsule.py | 132 +++
tools/binman/ftest.py | 127 ++
tools/binman/test/282_capsule.dts | 18 ++
tools/binman/test/283_capsule_signed.dts | 20 +++
tools/binman/test/284_capsule_conf.dts| 14 ++
tools/binman/test/285_capsule_missing_key.dts | 19 +++
.../binman/test/286_capsule_missing_index.dts | 17 ++
.../binman/test/287_capsule_missing_guid.dts | 17 ++
.../test/288_capsule_missing_payload.dts | 17 ++
tools/binman/test/289_capsule_missing.dts | 17 ++
tools/binman/test/290_capsule_version.dts | 19 +++
tools/binman/test/capsule_cfg.txt | 6 +
15 files changed, 619 insertions(+)
create mode 100644 tools/binman/btool/mkeficapsule.py
create mode 100644 tools/binman/etype/capsule.py
create mode 100644 tools/binman/test/282_capsule.dts
create mode 100644 tools/binman/test/283_capsule_signed.dts
create mode 100644 tools/binman/test/284_capsule_conf.dts
create mode 100644 tools/binman/test/285_capsule_missing_key.dts
create mode 100644 tools/binman/test/286_capsule_missing_index.dts
create mode 100644 tools/binman/test/287_capsule_missing_guid.dts
create mode 100644 tools/binman/test/288_capsule_missing_payload.dts
create mode 100644 tools/binman/test/289_capsule_missing.dts
create mode 100644 tools/binman/test/290_capsule_version.dts
create mode 100644 tools/binman/test/capsule_cfg.txt
diff --git a/configs/sandbox_spl_defconfig b/configs/sandbox_spl_defconfig
index dd848c57c6..2fcc789347 100644
--- a/configs/sandbox_spl_defconfig
+++ b/configs/sandbox_spl_defconfig
@@ -248,3 +248,4 @@ CONFIG_UNIT_TEST=y
CONFIG_SPL_UNIT_TEST=y
CONFIG_UT_TIME=y
CONFIG_UT_DM=y
+CONFIG_TOOLS_MKEFICAPSULE=y
diff --git a/tools/binman/btool/mkeficapsule.py
b/tools/binman/btool/mkeficapsule.py
new file mode 100644
index 00..ba6b666714
--- /dev/null
+++ b/tools/binman/btool/mkeficapsule.py
@@ -0,0 +1,158 @@
+# SPDX-License-Identifier: GPL-2.0+
+# Copyright 2023 Linaro Limited
+#
+"""Bintool implementation for mkeficapsule tool
+
+mkeficapsule is a tool used for generating EFI capsules.
+
+The following are the command-line options to be provided
+to the tool
+Usage: mkeficapsule [options]
+Options:
+ -g, --guid guid for image blob type
+ -i, --index update image index
+ -I, --instanceupdate hardware instance
+ -v, --fw-version firmware version
+ -p, --private-key private key file
+ -c, --certificate signer's certificate file
+ -m, --monotonic-count monotonic count
+ -d, --dump_sig dump signature (*.p7)
+ -A, --fw-accept firmware accept capsule, requires GUID, no image blob
+ -R, --fw-revert firmware revert capsule, takes no GUID, no image blob
+ -o, --capoemflag Capsule OEM Flag, an integer between 0x and 0x
+ -f, --cfg-file config file with capsule parameters
+ -h, --help print a help message
+
+"""
+
+from binman import bintool
+
+class Bintoolmkeficapsule(bintool.Bintool):
+"""Handles the 'mkeficapsule' tool
+
+This bintool is used for generating the EFI capsules. The
+capsule generation parameters can either be specified through
+command-line, or through a config file.
+
+"""
+def __init__(self, name):
+super().__init__(name, 'mkeficapsule tool for generating capsules')
+
+def capsule_cfg_file(self, cfg_file):
+"""Generate a capsule reading parameters from config file
+
+Args:
+cfg_file (str): Path to the config file
+
+Returns:
+str: Tool output
+"""
+
+args = [
+f'--cfg-file={cfg_file}'
+]
+return self.run_cmd(*args)
+
+def cmdline_capsule(self, image_index, image_guid, hardware_instance,
+payload, output_fname, vers
[PATCH v4 07/12] doc: Add documentation to highlight capsule generation related updates
The UEFI capsule can now be generate by specifying the capsule
parameters through a config file. Additionally, the capsules can be
generated as part of u-boot build, through binman. Highlight these
changes in the documentation.
Signed-off-by: Sughosh Ganu
---
Changes since V3:
* Move the paragraph on version support under a separate subsection.
* Move the description on generating capsules through config file
under the section to describe capsule generation.
* Add a subsection highlighting generation of capsules through
binman.
doc/develop/uefi/uefi.rst | 84 +++
1 file changed, 84 insertions(+)
diff --git a/doc/develop/uefi/uefi.rst b/doc/develop/uefi/uefi.rst
index 3d07aa33b8..251eaa13fd 100644
--- a/doc/develop/uefi/uefi.rst
+++ b/doc/develop/uefi/uefi.rst
@@ -318,6 +318,79 @@ Run the following command
--guid \
+Alternatively, the capsules can be generated through a config
+file. When generating the capsules through a config file, the Kconfig
+symbol CONFIG_EFI_CAPSULE_CFG_FILE is to be used for specifying the
+path to the config file.
+
+The config file describes the parameters that are used for generating
+one or more capsules. The parameters for a given capsule file are
+specified within curly braces, in the form of "key:value" pairs. All
+the parameters that are currently supported by the mkeficapsule tool
+can be specified through the config file.
+
+The following are some example payload parameters specified through
+the config file.
+
+.. code-block:: none
+
+ {
+ image-guid: 02f4d760-cfd5-43bd-8e2d-a42acb33c660
+ hardware-instance: 0
+ monotonic-count: 1
+ payload: u-boot.bin
+ image-index: 1
+ fw-version: 2
+ private-key: /path/to/priv/key
+ pub-key-cert: /path/to/pub/key
+ capsule: u-boot.capsule
+ }
+ {
+ image-guid: 4ce292da-1dd8-428d-a1c2-77743ef8b96e
+ hardware-instance: 0
+ payload: u-boot.itb
+ image-index: 2
+ fw-version: 7
+ oemflags: 0x8000
+ capsule: fit.capsule
+ }
+ {
+ capsule-type: accept
+ image-guid: 4ce292da-1dd8-428d-a1c2-77743ef8b96e
+ capsule: accept.capsule
+ }
+ {
+ capsule-type: revert
+ capsule: revert.capsule
+ }
+
+The following are the keys that specify the capsule parameters
+
+..code-block:: none
+
+image-guid: Image GUID
+image-index: Image index value
+fw-version: Image version
+private-key: Path to the private key file used for capsule signing
+pub-key-cert: Path to the public key crt file used for capsule signing
+payload: Path to the capsule payload file
+capsule: Path to the output capsule file that is generated
+hardware-instance: Hardware Instance value
+monotonic-count: Monotonic count value
+capsule-type: Specifies capsule type. normal(default), accept or revert
+oemflags: 16bit Oemflags value to be used(populated in capsule header)
+
+When generating capsules through a config file, the command would look
+like
+
+.. code-block:: console
+
+$ mkeficapsule --cfg-file
+
+
+Capsule with firmware version
+*
+
The UEFI specification does not define the firmware versioning mechanism.
EDK II reference implementation inserts the FMP Payload Header right before
the payload. It coutains the fw_version and lowest supported version,
@@ -345,6 +418,17 @@ add --fw-version option in mkeficapsule tool.
If the --fw-version option is not set, FMP Payload Header is not inserted
and fw_version is set as 0.
+
+Capsule Generation through binman
+*
+
+Support has also been added to generate capsules during u-boot build
+through binman. This requires the platform's DTB to be populated with
+the capsule entry nodes for binman. The capsules then can be generated
+by specifying the capsule parameters either through a config file, or
+by specifying them as properties in the capsule entry node.
+
+
Performing the update
*
--
2.34.1
[PATCH v4 08/12] CI: capsule: Setup the files needed for capsule update testing
Support has being added through earlier commits to build capsules
and embed the public key needed for capsule authentication as part of
u-boot build.
>From the testing point-of-view, this means the input files needed for
generating the above have to be setup before invoking the build. Set
this up in the CI configuration files for testing the capsule update
feature.
Signed-off-by: Sughosh Ganu
---
Changes since V3:
* Remove whitespace in the command to generate capsule keys.
.azure-pipelines.yml | 24
.gitlab-ci.yml | 22 ++
2 files changed, 46 insertions(+)
diff --git a/.azure-pipelines.yml b/.azure-pipelines.yml
index 06c46b681c..d732ba443d 100644
--- a/.azure-pipelines.yml
+++ b/.azure-pipelines.yml
@@ -398,6 +398,17 @@ stages:
wget -O -
https://github.com/riscv-software-src/opensbi/releases/download/v1.2/opensbi-1.2-rv-bin.tar.xz
| tar -C /tmp -xJ;
export
OPENSBI=/tmp/opensbi-1.2-rv-bin/share/opensbi/lp64/generic/firmware/fw_dynamic.bin;
fi
+ mkdir -p /tmp/capsules/;
+ echo -n "u-boot:Old" >/tmp/capsules/u-boot.bin.old;
+ echo -n "u-boot:New" >/tmp/capsules/u-boot.bin.new;
+ echo -n "u-boot-env:Old" >/tmp/capsules/u-boot.env.old;
+ echo -n "u-boot-env:New" >/tmp/capsules/u-boot.env.new;
+ if [[ "${TEST_PY_BD}" == "sandbox" ]] || [[ "${TEST_PY_BD}" ==
"sandbox_flattree" ]]; then
+ openssl req -x509 -sha256 -newkey rsa:2048 -subj
/CN=TEST_SIGNER/ -keyout /tmp/capsules/SIGNER.key -out /tmp/capsules/SIGNER.crt
-nodes -days 365;
+ openssl req -x509 -sha256 -newkey rsa:2048 -subj
/CN=TEST_SIGNER/ -keyout /tmp/capsules/SIGNER2.key -out
/tmp/capsules/SIGNER2.crt -nodes -days 365;
+ cert-to-efi-sig-list /tmp/capsules/SIGNER.crt
/tmp/capsules/SIGNER.esl;
+ fi
+
# the below corresponds to .gitlab-ci.yml "script"
cd ${WORK_DIR}
export UBOOT_TRAVIS_BUILD_DIR=/tmp/${TEST_PY_BD};
@@ -582,6 +593,19 @@ stages:
cd ${WORK_DIR}
# make environment variables available as tests are running inside a
container
export BUILDMAN="${BUILDMAN}"
+ if [[ "${BUILDMAN}" == "sandbox" ]] || [[ "${BUILDMAN}" == "sandbox
x86" ]]; then
+ if [ ! -d "/tmp/capsules/" ]; then
+ mkdir -p /tmp/capsules/;
+ echo -n "u-boot:Old" >/tmp/capsules/u-boot.bin.old;
+ echo -n "u-boot:New" >/tmp/capsules/u-boot.bin.new;
+ echo -n "u-boot-env:Old" >/tmp/capsules/u-boot.env.old;
+ echo -n "u-boot-env:New" >/tmp/capsules/u-boot.env.new;
+
+ openssl req -x509 -sha256 -newkey rsa:2048 -subj
/CN=TEST_SIGNER/ -keyout /tmp/capsules/SIGNER.key -out /tmp/capsules/SIGNER.crt
-nodes -days 365;
+ openssl req -x509 -sha256 -newkey rsa:2048 -subj
/CN=TEST_SIGNER/ -keyout /tmp/capsules/SIGNER2.key -out
/tmp/capsules/SIGNER2.crt -nodes -days 365;
+ cert-to-efi-sig-list /tmp/capsules/SIGNER.crt
/tmp/capsules/SIGNER.esl;
+ fi
+ fi
git config --global --add safe.directory ${WORK_DIR}
EOF
cat << "EOF" >> build.sh
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index cfd58513c3..aec6ffaf1c 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -37,6 +37,17 @@ stages:
export
OPENSBI=/tmp/opensbi-1.2-rv-bin/share/opensbi/lp64/generic/firmware/fw_dynamic.bin;
fi
+- mkdir -p /tmp/capsules/;
+- echo -n "u-boot:Old" >/tmp/capsules/u-boot.bin.old;
+- echo -n "u-boot:New" >/tmp/capsules/u-boot.bin.new;
+- echo -n "u-boot-env:Old" >/tmp/capsules/u-boot.env.old;
+- echo -n "u-boot-env:New" >/tmp/capsules/u-boot.env.new;
+- if [[ "${TEST_PY_BD}" == "sandbox" ]] || [[ "${TEST_PY_BD}" ==
"sandbox_flattree" ]]; then
+ openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/
-keyout /tmp/capsules/SIGNER.key -out /tmp/capsules/SIGNER.crt -nodes -days 365;
+ openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/
-keyout /tmp/capsules/SIGNER2.key -out /tmp/capsules/SIGNER2.crt -nodes -days
365;
+ cert-to-efi-sig-list /tmp/capsules/SIGNER.crt /tmp/capsules/SIGNER.esl;
+ fi
+
after_script:
- cp -v /tmp/${TEST_PY_BD}/*.{html,css} .
- rm -rf /tmp/uboot-test-hooks /tmp/venv
@@ -131,6 +142,17 @@ build all other platforms:
stage: world build
script:
- ret=0;
+ if [ ! -d "/tmp/capsules/" ]; then
+mkdir -p /tmp/capsules/;
+echo -n "u-boot:Old"
[PATCH v4 09/12] test: py: Setup capsule files for testing
Support has being added through earlier commits to build capsules and
embed the public key needed for capsule authentication as part of
u-boot build.
>From the testing point-of-view, this means the input files needed for
the above have to be setup before invoking the build. Set this up in
the pytest configuration file for testing the capsule update feature.
Signed-off-by: Sughosh Ganu
Reviewed-by: Simon Glass
---
Changes since V3:
* Use fstrings for format specifiers.
test/py/conftest.py | 84 +
1 file changed, 84 insertions(+)
diff --git a/test/py/conftest.py b/test/py/conftest.py
index fc9dd3a83f..1092cb713b 100644
--- a/test/py/conftest.py
+++ b/test/py/conftest.py
@@ -80,6 +80,86 @@ def pytest_addoption(parser):
help='Run sandbox under gdbserver. The argument is the channel '+
'over which gdbserver should communicate, e.g. localhost:1234')
+def setup_capsule_build(source_dir, build_dir, board_type, log):
+"""Setup the platform's build for testing capsule updates
+
+This generates the payload/input files needed for testing the
+capsule update functionality, along with the keys for signing
+the capsules. An EFI Signature List(ESL) file, which houses the
+public key for capsule authentication is generated as
+well.
+
+The ESL file is subsequently embedded into the platform's
+dtb during the u-boot build, to be used for capsule
+authentication.
+
+Two sets of keys are generated, namely SIGNER and SIGNER2.
+The SIGNER2 key pair is used as a malicious key for testing the
+the capsule authentication functionality.
+
+All the generated files are placed under the /tmp/capsules/
+directory.
+
+Args:
+soruce_dir (str): Directory containing source code
+build_dir (str): Directory to build in
+board_type (str): board_type parameter (e.g. 'sandbox')
+log (Logfile): Log file to use
+
+Returns:
+Nothing.
+"""
+def run_command(name, cmd, source_dir):
+with log.section(name):
+if isinstance(cmd, str):
+cmd = cmd.split()
+runner = log.get_runner(name, None)
+runner.run(cmd, cwd=source_dir)
+runner.close()
+log.status_pass('OK')
+
+def gen_capsule_payloads(capsule_dir):
+fname = f'{capsule_dir}u-boot.bin.old'
+with open(fname, 'w') as fd:
+fd.write('u-boot:Old')
+
+fname = f'{capsule_dir}u-boot.bin.new'
+with open(fname, 'w') as fd:
+fd.write('u-boot:New')
+
+fname = f'{capsule_dir}u-boot.env.old'
+with open(fname, 'w') as fd:
+fd.write('u-boot-env:Old')
+
+fname = f'{capsule_dir}u-boot.env.new'
+with open(fname, 'w') as fd:
+fd.write('u-boot-env:New')
+
+capsule_sig_dir = '/tmp/capsules/'
+sig_name = 'SIGNER'
+mkdir_p(capsule_sig_dir)
+name = 'openssl'
+cmd = ( 'openssl req -x509 -sha256 -newkey rsa:2048 '
+'-subj /CN=TEST_SIGNER/ -keyout '
+f'{capsule_sig_dir}{sig_name}.key '
+f'-out {capsule_sig_dir}{sig_name}.crt -nodes -days 365' )
+run_command(name, cmd, source_dir)
+
+name = 'cert-to-efi-sig-list'
+cmd = ( f'cert-to-efi-sig-list {capsule_sig_dir}{sig_name}.crt '
+f'{capsule_sig_dir}{sig_name}.esl' )
+run_command(name, cmd, source_dir)
+
+sig_name = 'SIGNER2'
+name = 'openssl'
+cmd = ( 'openssl req -x509 -sha256 -newkey rsa:2048 '
+'-subj /CN=TEST_SIGNER/ -keyout '
+f'{capsule_sig_dir}{sig_name}.key '
+f'-out {capsule_sig_dir}{sig_name}.crt -nodes -days 365' )
+run_command(name, cmd, source_dir)
+
+gen_capsule_payloads(capsule_sig_dir)
+
def run_build(config, source_dir, build_dir, board_type, log):
"""run_build: Build U-Boot
@@ -90,6 +170,10 @@ def run_build(config, source_dir, build_dir, board_type,
log):
board_type (str): board_type parameter (e.g. 'sandbox')
log (Logfile): Log file to use
"""
+capsule_boards = ( 'sandbox', 'sandbox64', 'sandbox_flattree' )
+if board_type in capsule_boards:
+setup_capsule_build(source_dir, build_dir, board_type, log)
+
if config.getoption('buildman'):
if build_dir != source_dir:
dest_args = ['-o', build_dir, '-w']
--
2.34.1
[PATCH v4 10/12] test: capsule: Remove public key embed logic from capsule update test
The embedding of the public key EFI Signature List(ESL) file into the
platform's DTB is now done at the time of u-boot build. Remove this
logic from the capsule update test' configuration.
Include the public key for the sandbox and sandbox_flattree variant
as part of the build.
Signed-off-by: Sughosh Ganu
Reviewed-by: Simon Glass
---
Changes since V3:
* Rebase on top of current master to work with test configuration for
version support in capsule updates.
configs/sandbox_defconfig| 1 +
configs/sandbox_flattree_defconfig | 1 +
test/py/tests/test_efi_capsule/conftest.py | 37
test/py/tests/test_efi_capsule/signature.dts | 10 --
4 files changed, 9 insertions(+), 40 deletions(-)
delete mode 100644 test/py/tests/test_efi_capsule/signature.dts
diff --git a/configs/sandbox_defconfig b/configs/sandbox_defconfig
index 4cef6c5153..560f3317d9 100644
--- a/configs/sandbox_defconfig
+++ b/configs/sandbox_defconfig
@@ -340,6 +340,7 @@ CONFIG_EFI_RUNTIME_UPDATE_CAPSULE=y
CONFIG_EFI_CAPSULE_ON_DISK=y
CONFIG_EFI_CAPSULE_FIRMWARE_RAW=y
CONFIG_EFI_CAPSULE_AUTHENTICATE=y
+CONFIG_EFI_CAPSULE_ESL_FILE="/tmp/capsules/SIGNER.esl"
CONFIG_EFI_SECURE_BOOT=y
CONFIG_TEST_FDTDEC=y
CONFIG_UNIT_TEST=y
diff --git a/configs/sandbox_flattree_defconfig
b/configs/sandbox_flattree_defconfig
index e7657d40dc..8d60744771 100644
--- a/configs/sandbox_flattree_defconfig
+++ b/configs/sandbox_flattree_defconfig
@@ -226,6 +226,7 @@ CONFIG_EFI_RUNTIME_UPDATE_CAPSULE=y
CONFIG_EFI_CAPSULE_ON_DISK=y
CONFIG_EFI_CAPSULE_FIRMWARE_FIT=y
CONFIG_EFI_CAPSULE_AUTHENTICATE=y
+CONFIG_EFI_CAPSULE_ESL_FILE="/tmp/capsules/SIGNER.esl"
CONFIG_UNIT_TEST=y
CONFIG_UT_TIME=y
CONFIG_UT_DM=y
diff --git a/test/py/tests/test_efi_capsule/conftest.py
b/test/py/tests/test_efi_capsule/conftest.py
index 054be1ee97..99b502902e 100644
--- a/test/py/tests/test_efi_capsule/conftest.py
+++ b/test/py/tests/test_efi_capsule/conftest.py
@@ -25,48 +25,25 @@ def efi_capsule_data(request, u_boot_config):
image_path = u_boot_config.persistent_data_dir + '/test_efi_capsule.img'
try:
+capsules_path_dir = '/tmp/capsules/'
# Create a target device
check_call('dd if=/dev/zero of=./spi.bin bs=1MiB count=16', shell=True)
check_call('rm -rf %s' % mnt_point, shell=True)
check_call('mkdir -p %s' % data_dir, shell=True)
check_call('mkdir -p %s' % install_dir, shell=True)
-
-capsule_auth_enabled = u_boot_config.buildconfig.get(
-'config_efi_capsule_authenticate')
-if capsule_auth_enabled:
-# Create private key (SIGNER.key) and certificate (SIGNER.crt)
-check_call('cd %s; '
- 'openssl req -x509 -sha256 -newkey rsa:2048 '
-'-subj /CN=TEST_SIGNER/ -keyout SIGNER.key '
-'-out SIGNER.crt -nodes -days 365'
- % data_dir, shell=True)
-check_call('cd %s; %scert-to-efi-sig-list SIGNER.crt SIGNER.esl'
- % (data_dir, EFITOOLS_PATH), shell=True)
-
-# Update dtb adding capsule certificate
-check_call('cd %s; '
- 'cp %s/test/py/tests/test_efi_capsule/signature.dts .'
- % (data_dir, u_boot_config.source_dir), shell=True)
-check_call('cd %s; '
- 'dtc -@ -I dts -O dtb -o signature.dtbo signature.dts; '
- 'fdtoverlay -i %s/arch/sandbox/dts/test.dtb '
-'-o test_sig.dtb signature.dtbo'
- % (data_dir, u_boot_config.build_dir), shell=True)
-
-# Create *malicious* private key (SIGNER2.key) and certificate
-# (SIGNER2.crt)
-check_call('cd %s; '
- 'openssl req -x509 -sha256 -newkey rsa:2048 '
-'-subj /CN=TEST_SIGNER/ -keyout SIGNER2.key '
-'-out SIGNER2.crt -nodes -days 365'
- % data_dir, shell=True)
+check_call('cp %s/* %s ' % (capsules_path_dir, data_dir), shell=True)
# Update dtb to add the version information
check_call('cd %s; '
'cp %s/test/py/tests/test_efi_capsule/version.dts .'
% (data_dir, u_boot_config.source_dir), shell=True)
+
+capsule_auth_enabled = u_boot_config.buildconfig.get(
+'config_efi_capsule_authenticate')
if capsule_auth_enabled:
+check_call('cp %s/arch/sandbox/dts/test.dtb %s/test_sig.dtb' %
+ (u_boot_config.build_dir, data_dir),
[PATCH v4 11/12] sandbox: capsule: Add a config file for generating capsules
Support has been added to the mkeficapsule tool to generate capsules
by parsing the capsule parameters through a config file. Add a config
file for generating capsules. These capsules will be used for testing
the capsule update feature on sandbox platform.
Enable generation of capsules through the config file on the sandbox
variant.
Signed-off-by: Sughosh Ganu
---
Changes since V3:
* Use fstrings for format specifiers.
* Add entries for generating capsules with version parameter.
.azure-pipelines.yml | 2 +
.gitlab-ci.yml| 2 +
configs/sandbox_defconfig | 2 +
test/py/conftest.py | 5 +
.../test_efi_capsule/sandbox_capsule_cfg.txt | 162 ++
5 files changed, 173 insertions(+)
create mode 100644 test/py/tests/test_efi_capsule/sandbox_capsule_cfg.txt
diff --git a/.azure-pipelines.yml b/.azure-pipelines.yml
index d732ba443d..240ee4f692 100644
--- a/.azure-pipelines.yml
+++ b/.azure-pipelines.yml
@@ -403,6 +403,7 @@ stages:
echo -n "u-boot:New" >/tmp/capsules/u-boot.bin.new;
echo -n "u-boot-env:Old" >/tmp/capsules/u-boot.env.old;
echo -n "u-boot-env:New" >/tmp/capsules/u-boot.env.new;
+ cp test/py/tests/test_efi_capsule/sandbox_capsule_cfg.txt
/tmp/capsules/;
if [[ "${TEST_PY_BD}" == "sandbox" ]] || [[ "${TEST_PY_BD}" ==
"sandbox_flattree" ]]; then
openssl req -x509 -sha256 -newkey rsa:2048 -subj
/CN=TEST_SIGNER/ -keyout /tmp/capsules/SIGNER.key -out /tmp/capsules/SIGNER.crt
-nodes -days 365;
openssl req -x509 -sha256 -newkey rsa:2048 -subj
/CN=TEST_SIGNER/ -keyout /tmp/capsules/SIGNER2.key -out
/tmp/capsules/SIGNER2.crt -nodes -days 365;
@@ -600,6 +601,7 @@ stages:
echo -n "u-boot:New" >/tmp/capsules/u-boot.bin.new;
echo -n "u-boot-env:Old" >/tmp/capsules/u-boot.env.old;
echo -n "u-boot-env:New" >/tmp/capsules/u-boot.env.new;
+ cp test/py/tests/test_efi_capsule/sandbox_capsule_cfg.txt
/tmp/capsules/;
openssl req -x509 -sha256 -newkey rsa:2048 -subj
/CN=TEST_SIGNER/ -keyout /tmp/capsules/SIGNER.key -out /tmp/capsules/SIGNER.crt
-nodes -days 365;
openssl req -x509 -sha256 -newkey rsa:2048 -subj
/CN=TEST_SIGNER/ -keyout /tmp/capsules/SIGNER2.key -out
/tmp/capsules/SIGNER2.crt -nodes -days 365;
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index aec6ffaf1c..42456e5f3f 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -42,6 +42,7 @@ stages:
- echo -n "u-boot:New" >/tmp/capsules/u-boot.bin.new;
- echo -n "u-boot-env:Old" >/tmp/capsules/u-boot.env.old;
- echo -n "u-boot-env:New" >/tmp/capsules/u-boot.env.new;
+- cp test/py/tests/test_efi_capsule/sandbox_capsule_cfg.txt /tmp/capsules/;
- if [[ "${TEST_PY_BD}" == "sandbox" ]] || [[ "${TEST_PY_BD}" ==
"sandbox_flattree" ]]; then
openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/
-keyout /tmp/capsules/SIGNER.key -out /tmp/capsules/SIGNER.crt -nodes -days 365;
openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/
-keyout /tmp/capsules/SIGNER2.key -out /tmp/capsules/SIGNER2.crt -nodes -days
365;
@@ -148,6 +149,7 @@ build all other platforms:
echo -n "u-boot:New" >/tmp/capsules/u-boot.bin.new;
echo -n "u-boot-env:Old" >/tmp/capsules/u-boot.env.old;
echo -n "u-boot-env:New" >/tmp/capsules/u-boot.env.new;
+cp test/py/tests/test_efi_capsule/sandbox_capsule_cfg.txt
/tmp/capsules/;
openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/
-keyout /tmp/capsules/SIGNER.key -out /tmp/capsules/SIGNER.crt -nodes -days 365;
openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/
-keyout /tmp/capsules/SIGNER2.key -out /tmp/capsules/SIGNER2.crt -nodes -days
365;
diff --git a/configs/sandbox_defconfig b/configs/sandbox_defconfig
index 560f3317d9..f3c09f845a 100644
--- a/configs/sandbox_defconfig
+++ b/configs/sandbox_defconfig
@@ -341,6 +341,8 @@ CONFIG_EFI_CAPSULE_ON_DISK=y
CONFIG_EFI_CAPSULE_FIRMWARE_RAW=y
CONFIG_EFI_CAPSULE_AUTHENTICATE=y
CONFIG_EFI_CAPSULE_ESL_FILE="/tmp/capsules/SIGNER.esl"
+CONFIG_EFI_CAPSULE_CFG_FILE="/tmp/capsules/sandbox_capsule_cfg.txt"
+CONFIG_EFI_USE_CAPSULE_CFG_FILE=y
CONFIG_EFI_SECURE_BOOT=y
CONFIG_TEST_FDTDEC=y
CONFIG_UNIT_TEST=y
diff --git a/test/py/conftest.py b/test/py/conftest.py
index 1092cb713b..20b8dc1913 100644
--- a/test/py/conftest.py
+++ b/test/py/conftest.py
@@ -158,6 +158,11 @@ def setup_capsule_build(source_dir, build_dir, board_type,
log):
f'-out {capsule_sig_dir}{sig_name}
[PATCH v4 12/12] sandbox: capsule: Generate capsule related files through binman
The EFI capsule files can now be generated as part of u-boot
build. This is done through binman. Add capsule entry nodes in the
u-boot.dtsi for the sandbox architecture for generating the
capsules. Remove the corresponding generation of capsules from the
capsule update conftest file.
The capsules are generated through the config file for the sandbox
variant, and through explicit parameters for the sandbox_flattree
variant.
Also generate the FIT image used for testing the capsule update
feature on the sandbox_flattree variant through binman. Remove the now
superfluous its file which was used for generating this FIT image.
Signed-off-by: Sughosh Ganu
---
Changes since V3:
* Use blob nodes instead of incbin for including the binaries in FIT
image.
* Enable generation of capsules with versioning support.
arch/sandbox/dts/u-boot.dtsi | 265 ++
test/py/tests/test_efi_capsule/conftest.py| 127 -
.../tests/test_efi_capsule/uboot_bin_env.its | 36 ---
3 files changed, 265 insertions(+), 163 deletions(-)
delete mode 100644 test/py/tests/test_efi_capsule/uboot_bin_env.its
diff --git a/arch/sandbox/dts/u-boot.dtsi b/arch/sandbox/dts/u-boot.dtsi
index 60bd004937..7b0250ac81 100644
--- a/arch/sandbox/dts/u-boot.dtsi
+++ b/arch/sandbox/dts/u-boot.dtsi
@@ -13,5 +13,270 @@
capsule-key = /incbin/(CONFIG_EFI_CAPSULE_ESL_FILE);
};
#endif
+
+ binman: binman {
+ multiple-images;
+ };
+};
+
+&binman {
+ itb {
+ filename = "/tmp/capsules/uboot_bin_env.itb";
+
+ fit {
+ description = "Automatic U-Boot environment update";
+ #address-cells = <2>;
+
+ images {
+ u-boot-bin {
+ description = "U-Boot binary on SPI
Flash";
+ compression = "none";
+ type = "firmware";
+ arch = "sandbox";
+ load = <0>;
+ blob {
+ filename =
"/tmp/capsules/u-boot.bin.new";
+ };
+
+ hash-1 {
+ algo = "sha1";
+ };
+ };
+ u-boot-env {
+ description = "U-Boot environment on
SPI Flash";
+ compression = "none";
+ type = "firmware";
+ arch = "sandbox";
+ load = <0>;
+ blob {
+ filename =
"/tmp/capsules/u-boot.env.new";
+ };
+
+ hash-1 {
+ algo = "sha1";
+ };
+ };
+ };
+ };
+ };
+
+#ifdef CONFIG_EFI_USE_CAPSULE_CFG_FILE
+ capsule1 {
+ capsule {
+ cfg-file = CONFIG_EFI_CAPSULE_CFG_FILE;
+ };
+ };
+#else
+ capsule2 {
+ capsule {
+ image-index = <0x1>;
+ image-type-id = "09D7CF52-0720-4710-91D1-08469B7FE9C8";
+ filename = "/tmp/capsules/u-boot.bin.new";
+ capsule = "/tmp/capsules/Test01";
+ };
+ };
+
+ capsule3 {
+ capsule {
+ image-index = <0x2>;
+ image-type-id = "5A7021F5-FEF2-48B4-AABA-832E777418C0";
+ filename = "/tmp/capsules/u-boot.env.new";
+ capsule = "/tmp/capsules/Test02";
+ };
+ };
+
+ capsule4 {
+ capsule {
+ image-index = <0x1>;
+ image-type-id = "058B7D83-50D5-4C47-A195-60D86AD341C4";
+ filename = "/tmp/capsules/u-boot.bin.new";
+ capsule = "/tmp/capsules/Test03";
+ };
+ };
+
+ capsule5 {
+ capsule {
+ image-index = <0x1>;
+ image-type-id = "3673B45D-6A7C-46F3-9E60-ADABB03F7937";
+ filename = "
Re: [PATCH v4 03/12] capsule: authenticate: Add capsule public key in platform's dtb
hi Simon,
On Sun, 16 Jul 2023 at 05:12, Simon Glass wrote:
>
> Hi Sughosh,
>
> On Sat, 15 Jul 2023 at 07:46, Sughosh Ganu wrote:
> >
> > The EFI capsule authentication logic in u-boot expects the public key
> > in the form of an EFI Signature List(ESL) to be provided as part of
> > the platform's dtb. Currently, the embedding of the ESL file into the
> > dtb needs to be done manually.
> >
> > Add a signature node in the u-boot dtsi file and include the public
> > key through the capsule-key property. This file is per architecture,
> > and is currently being added for sandbox and arm architectures. It
> > will have to be added for other architectures which need to enable
> > capsule authentication support.
> >
> > The path to the ESL file is specified through the
> > CONFIG_EFI_CAPSULE_ESL_FILE symbol.
> >
> > Signed-off-by: Sughosh Ganu
> > ---
> > Changes since V3:
> > * Put the two ifdef statements together in arm architecture's
> > u-boot.dtsi file.
> > * Remove the extra blank line in the Kconfig.
> >
> > arch/arm/dts/u-boot.dtsi | 17 +
> > arch/sandbox/dts/u-boot.dtsi | 17 +
> > lib/efi_loader/Kconfig | 10 ++
> > lib/efi_loader/Makefile | 7 +++
> > 4 files changed, 51 insertions(+)
> > create mode 100644 arch/arm/dts/u-boot.dtsi
> > create mode 100644 arch/sandbox/dts/u-boot.dtsi
>
> This approach seems OK to me for now. It is a bit strange to specify a
> CONFIG option to add something to the DT, but we can always adjust it
> later if needed.
>
> >
> > diff --git a/arch/arm/dts/u-boot.dtsi b/arch/arm/dts/u-boot.dtsi
> > new file mode 100644
> > index 00..2a9359c43c
> > --- /dev/null
> > +++ b/arch/arm/dts/u-boot.dtsi
> > @@ -0,0 +1,17 @@
> > +// SPDX-License-Identifier: GPL-2.0+
> > +/*
>
> /**
>
> for multi-line comments
Okay
>
> > + * Devicetree file with miscellaneous nodes that will be included
> > + * at build time into the DTB. Currently being used for including
> > + * capsule related information.
> > + *
>
> drop blank line
Okay
>
> > + */
> > +
> > +#ifdef CONFIG_EFI_HAVE_CAPSULE_SUPPORT
> > +#ifdef CONFIG_EFI_CAPSULE_AUTHENTICATE
>
> Can you combine these, or can you omit the first one?
I will drop the first line. Should build for all platforms I believe.
>
> > +/ {
> > + signature {
> > + capsule-key = /incbin/(CONFIG_EFI_CAPSULE_ESL_FILE);
> > + };
> > +};
> > +#endif /* CONFIG_EFI_CAPSULE_AUTHENTICATE */
> > +#endif /* CONFIG_EFI_HAVE_CAPSULE_SUPPORT */
> > diff --git a/arch/sandbox/dts/u-boot.dtsi b/arch/sandbox/dts/u-boot.dtsi
> > new file mode 100644
> > index 00..60bd004937
> > --- /dev/null
> > +++ b/arch/sandbox/dts/u-boot.dtsi
> > @@ -0,0 +1,17 @@
> > +// SPDX-License-Identifier: GPL-2.0+
> > +/*
> > + * Devicetree file with miscellaneous nodes that will be included
> > + * at build time into the DTB. Currently being used for including
> > + * capsule related information.
> > + *
> > + */
> > +
> > +#ifdef CONFIG_EFI_HAVE_CAPSULE_SUPPORT
> > +/ {
> > +#ifdef CONFIG_EFI_CAPSULE_AUTHENTICATE
> > + signature {
> > + capsule-key = /incbin/(CONFIG_EFI_CAPSULE_ESL_FILE);
> > + };
> > +#endif
> > +};
> > +#endif /* CONFIG_EFI_HAVE_CAPSULE_SUPPORT */
> > diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig
> > index a22e47616f..9abb9a4db3 100644
> > --- a/lib/efi_loader/Kconfig
> > +++ b/lib/efi_loader/Kconfig
> > @@ -235,6 +235,16 @@ config EFI_CAPSULE_MAX
> > Select the max capsule index value used for capsule report
> > variables. This value is used to create CapsuleMax variable.
> >
> > +config EFI_CAPSULE_ESL_FILE
> > + string "Path to the EFI Signature List File"
> > + default ""
> > + depends on EFI_CAPSULE_AUTHENTICATE
> > + help
> > + Provides the absolute path to the EFI Signature List
> > + file which will be embedded in the platform's device
> > + tree and used for capsule authentication at the time
> > + of capsule update.
>
> Can you wrap to 72 chars or so?
Okay
-sughosh
>
> > +
> > config EFI_DEVICE_PATH_TO_TEXT
> > bool "Device path to text protocol"
> > default y
> > diff --git a/lib/efi_loader/Makefile b/lib/efi_loader/Makefile
> > index 1a8c8d7cab..c52c9d27bd 100644
> > --- a/lib/efi_loader/Makefile
> > +++ b/lib/efi_loader/Makefile
> > @@ -89,3 +89,10 @@ obj-$(CONFIG_EFI_ECPT) += efi_conformance.o
> >
> > EFI_VAR_SEED_FILE := $(subst $\",,$(CONFIG_EFI_VAR_SEED_FILE))
> > $(obj)/efi_var_seed.o: $(srctree)/$(EFI_VAR_SEED_FILE)
> > +
> > +ifeq ($(CONFIG_EFI_CAPSULE_AUTHENTICATE),y)
> > +EFI_CAPSULE_KEY_PATH := $(subst $\",,$(CONFIG_EFI_CAPSULE_ESL_FILE))
> > +ifeq ("$(wildcard $(EFI_CAPSULE_KEY_PATH))","")
> > +$(error .esl cerificate not found. Configure your
> > CONFIG_EFI_CAPSULE_ESL_FILE)
> > +endif
> > +endif
> > --
> > 2.34.1
> >
>
> REgards,
> Simon
Re: [PATCH v4 11/12] sandbox: capsule: Add a config file for generating capsules
hi Simon,
On Sun, 16 Jul 2023 at 05:12, Simon Glass wrote:
>
> Hi,
>
> On Sat, 15 Jul 2023 at 07:46, Sughosh Ganu wrote:
> >
> > Support has been added to the mkeficapsule tool to generate capsules
> > by parsing the capsule parameters through a config file. Add a config
> > file for generating capsules. These capsules will be used for testing
> > the capsule update feature on sandbox platform.
> >
> > Enable generation of capsules through the config file on the sandbox
> > variant.
> >
> > Signed-off-by: Sughosh Ganu
> > ---
> > Changes since V3:
> > * Use fstrings for format specifiers.
> > * Add entries for generating capsules with version parameter.
> >
> > .azure-pipelines.yml | 2 +
> > .gitlab-ci.yml| 2 +
> > configs/sandbox_defconfig | 2 +
> > test/py/conftest.py | 5 +
> > .../test_efi_capsule/sandbox_capsule_cfg.txt | 162 ++
> > 5 files changed, 173 insertions(+)
> > create mode 100644 test/py/tests/test_efi_capsule/sandbox_capsule_cfg.txt
> >
> > diff --git a/.azure-pipelines.yml b/.azure-pipelines.yml
> > index d732ba443d..240ee4f692 100644
> > --- a/.azure-pipelines.yml
> > +++ b/.azure-pipelines.yml
> > @@ -403,6 +403,7 @@ stages:
> >echo -n "u-boot:New" >/tmp/capsules/u-boot.bin.new;
> >echo -n "u-boot-env:Old" >/tmp/capsules/u-boot.env.old;
> >echo -n "u-boot-env:New" >/tmp/capsules/u-boot.env.new;
> > + cp test/py/tests/test_efi_capsule/sandbox_capsule_cfg.txt
> > /tmp/capsules/;
> >if [[ "${TEST_PY_BD}" == "sandbox" ]] || [[ "${TEST_PY_BD}" ==
> > "sandbox_flattree" ]]; then
> >openssl req -x509 -sha256 -newkey rsa:2048 -subj
> > /CN=TEST_SIGNER/ -keyout /tmp/capsules/SIGNER.key -out
> > /tmp/capsules/SIGNER.crt -nodes -days 365;
> >openssl req -x509 -sha256 -newkey rsa:2048 -subj
> > /CN=TEST_SIGNER/ -keyout /tmp/capsules/SIGNER2.key -out
> > /tmp/capsules/SIGNER2.crt -nodes -days 365;
> > @@ -600,6 +601,7 @@ stages:
> >echo -n "u-boot:New" >/tmp/capsules/u-boot.bin.new;
> >echo -n "u-boot-env:Old" >/tmp/capsules/u-boot.env.old;
> >echo -n "u-boot-env:New" >/tmp/capsules/u-boot.env.new;
> > + cp
> > test/py/tests/test_efi_capsule/sandbox_capsule_cfg.txt /tmp/capsules/;
> >
> >openssl req -x509 -sha256 -newkey rsa:2048 -subj
> > /CN=TEST_SIGNER/ -keyout /tmp/capsules/SIGNER.key -out
> > /tmp/capsules/SIGNER.crt -nodes -days 365;
> >openssl req -x509 -sha256 -newkey rsa:2048 -subj
> > /CN=TEST_SIGNER/ -keyout /tmp/capsules/SIGNER2.key -out
> > /tmp/capsules/SIGNER2.crt -nodes -days 365;
> > diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
> > index aec6ffaf1c..42456e5f3f 100644
> > --- a/.gitlab-ci.yml
> > +++ b/.gitlab-ci.yml
> > @@ -42,6 +42,7 @@ stages:
> > - echo -n "u-boot:New" >/tmp/capsules/u-boot.bin.new;
> > - echo -n "u-boot-env:Old" >/tmp/capsules/u-boot.env.old;
> > - echo -n "u-boot-env:New" >/tmp/capsules/u-boot.env.new;
> > +- cp test/py/tests/test_efi_capsule/sandbox_capsule_cfg.txt
> > /tmp/capsules/;
> > - if [[ "${TEST_PY_BD}" == "sandbox" ]] || [[ "${TEST_PY_BD}" ==
> > "sandbox_flattree" ]]; then
> > openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/
> > -keyout /tmp/capsules/SIGNER.key -out /tmp/capsules/SIGNER.crt -nodes -days
> > 365;
> > openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/
> > -keyout /tmp/capsules/SIGNER2.key -out /tmp/capsules/SIGNER2.crt -nodes
> > -days 365;
> > @@ -148,6 +149,7 @@ build all other platforms:
> > echo -n "u-boot:New" >/tmp/capsules/u-boot.bin.new;
> > echo -n "u-boot-env:Old" >/tmp/capsules/u-boot.env.old;
> > echo -n "u-boot-env:New" >/tmp/capsules/u-boot.env.new;
> > +cp test/py/tests/test_efi_capsule/sandbox_capsule_cfg.txt
> > /tmp/capsules/;
> >
> > openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/
> > -keyout /tmp/capsules/SIGNER.key -out /tmp/capsules/SIGNER.crt -nodes -days
> > 365;
> > openssl req -x5
Re: [PATCH v4 06/12] binman: capsule: Add support for generating capsules
hi Simon, On Sun, 16 Jul 2023 at 05:12, Simon Glass wrote: > > Hi Sughosh, > > On Sat, 15 Jul 2023 at 07:46, Sughosh Ganu wrote: > > > > Add support in binman for generating capsules. The capsule parameters > > can be specified either through a config file or through the capsule > > binman entry. Also add test cases in binman for capsule generation, > > and enable this testing on the sandbox_spl variant. > > Can you use sandbox instead, or perhaps sandbox_spl? SPL is really for > SPL testing. Er, I am actually using the sandbox_spl variant. > > > > > Signed-off-by: Sughosh Ganu > > --- > > Changes since V3: > > * Add test cases for covering the various capsule generation > > scenarios. > > * Add function comments in the mkeficapsule bintool. > > * Fix the fetch method of the mkeficapsule bintool to enable building > > the tool. > > * Add more details about the capsule parameters in the documentation > > as well as the code. > > * Fix order of module imports, and addition of blank lines in the > > capsule.py file. > > * Use SetContents in the ObtainContents method. > > > > configs/sandbox_spl_defconfig | 1 + > > tools/binman/btool/mkeficapsule.py| 158 ++ > > tools/binman/entries.rst | 37 > > tools/binman/etype/capsule.py | 132 +++ > > tools/binman/ftest.py | 127 ++ > > tools/binman/test/282_capsule.dts | 18 ++ > > tools/binman/test/283_capsule_signed.dts | 20 +++ > > tools/binman/test/284_capsule_conf.dts| 14 ++ > > tools/binman/test/285_capsule_missing_key.dts | 19 +++ > > .../binman/test/286_capsule_missing_index.dts | 17 ++ > > .../binman/test/287_capsule_missing_guid.dts | 17 ++ > > .../test/288_capsule_missing_payload.dts | 17 ++ > > tools/binman/test/289_capsule_missing.dts | 17 ++ > > tools/binman/test/290_capsule_version.dts | 19 +++ > > tools/binman/test/capsule_cfg.txt | 6 + > > 15 files changed, 619 insertions(+) > > create mode 100644 tools/binman/btool/mkeficapsule.py > > create mode 100644 tools/binman/etype/capsule.py > > create mode 100644 tools/binman/test/282_capsule.dts > > create mode 100644 tools/binman/test/283_capsule_signed.dts > > create mode 100644 tools/binman/test/284_capsule_conf.dts > > create mode 100644 tools/binman/test/285_capsule_missing_key.dts > > create mode 100644 tools/binman/test/286_capsule_missing_index.dts > > create mode 100644 tools/binman/test/287_capsule_missing_guid.dts > > create mode 100644 tools/binman/test/288_capsule_missing_payload.dts > > create mode 100644 tools/binman/test/289_capsule_missing.dts > > create mode 100644 tools/binman/test/290_capsule_version.dts > > create mode 100644 tools/binman/test/capsule_cfg.txt > > This looks pretty good to me. Some nits below > > > > > diff --git a/configs/sandbox_spl_defconfig b/configs/sandbox_spl_defconfig > > index dd848c57c6..2fcc789347 100644 > > --- a/configs/sandbox_spl_defconfig > > +++ b/configs/sandbox_spl_defconfig > > @@ -248,3 +248,4 @@ CONFIG_UNIT_TEST=y > > CONFIG_SPL_UNIT_TEST=y > > CONFIG_UT_TIME=y > > CONFIG_UT_DM=y > > +CONFIG_TOOLS_MKEFICAPSULE=y > > Why enabling this here? I don't think it is needed in sandbox_spl, but > in any case it should be in a different patch if needed. The binman tests run on the sandbox_spl variant. When running the capsule generation tests, the mkeficapsule tool should be present on the board variant no? > > > diff --git a/tools/binman/btool/mkeficapsule.py > > b/tools/binman/btool/mkeficapsule.py > > new file mode 100644 > > index 00..ba6b666714 > > --- /dev/null > > +++ b/tools/binman/btool/mkeficapsule.py > > @@ -0,0 +1,158 @@ > > +# SPDX-License-Identifier: GPL-2.0+ > > +# Copyright 2023 Linaro Limited > > +# > > +"""Bintool implementation for mkeficapsule tool > > + > > +mkeficapsule is a tool used for generating EFI capsules. > > + > > +The following are the command-line options to be provided > > +to the tool > > +Usage: mkeficapsule [options] > > +Options: > > + -g, --guid guid for image blob type > > + -i, --index update image index > > + -I, --instanceupdate hardware instance > > + -v, --fw-version firmware version > > + -p, --private-key private key file > > + -c, --certificate signer's
Re: [PATCH v4 01/12] binman: bintool: Build a tool from a list of commands
hi Simon,
On Sun, 16 Jul 2023 at 05:12, Simon Glass wrote:
>
> Hi Sughosh,
>
> On Sat, 15 Jul 2023 at 07:46, Sughosh Ganu wrote:
> >
> > Add support to build a tool from source with a list of commands. This
> > is useful when a tool can be built with multiple commands instead of a
> > single command.
> >
> > Signed-off-by: Sughosh Ganu
> > ---
> > Changes since V3:
> > * New patch to support passing multiple commands to the build_from_git
> > function to build the tool.
> >
> > tools/binman/bintool.py| 19 +++
> > tools/binman/btool/_testing.py | 3 ++-
> > tools/binman/btool/fiptool.py | 4 +++-
> > tools/binman/btool/futility.py | 4 +++-
> > 4 files changed, 19 insertions(+), 11 deletions(-)
> >
> > diff --git a/tools/binman/bintool.py b/tools/binman/bintool.py
> > index 81629683df..279bf2fec4 100644
> > --- a/tools/binman/bintool.py
> > +++ b/tools/binman/bintool.py
> > @@ -328,7 +328,7 @@ class Bintool:
> > return result.stdout
> >
> > @classmethod
> > -def build_from_git(cls, git_repo, make_target, bintool_path,
> > flags=None):
> > +def build_from_git(cls, git_repo, make_targets, bintool_path,
> > flags=None):
> > """Build a bintool from a git repo
> >
> > This clones the repo in a temporary directory, builds it with
> > 'make',
> > @@ -336,7 +336,8 @@ class Bintool:
> >
> > Args:
> > git_repo (str): URL of git repo
> > -make_target (str): Target to pass to 'make' to build the tool
> > +make_targets (list of str): List of targets to pass to 'make'
> > to build
> > +the tool
> > bintool_path (str): Relative path of the tool in the repo,
> > after
> > build is complete
> > flags (list of str): Flags or variables to pass to make, or
> > None
> > @@ -350,12 +351,14 @@ class Bintool:
> > tmpdir = tempfile.mkdtemp(prefix='binmanf.')
> > print(f"- clone git repo '{git_repo}' to '{tmpdir}'")
> > tools.run('git', 'clone', '--depth', '1', git_repo, tmpdir)
> > -print(f"- build target '{make_target}'")
> > -cmd = ['make', '-C', tmpdir, '-j',
> > f'{multiprocessing.cpu_count()}',
> > - make_target]
> > -if flags:
> > -cmd += flags
> > -tools.run(*cmd)
> > +for target in make_targets:
> > +print(f"- build target '{target}'")
> > +cmd = ['make', '-C', tmpdir, '-j',
> > f'{multiprocessing.cpu_count()}',
> > + target]
> > +if flags:
> > +cmd += flags
> > +tools.run(*cmd)
> > +
> > fname = os.path.join(tmpdir, bintool_path)
> > if not os.path.exists(fname):
> > print(f"- File '{fname}' was not produced")
> > diff --git a/tools/binman/btool/_testing.py b/tools/binman/btool/_testing.py
> > index 4005e8a8a5..c0109c76bf 100644
> > --- a/tools/binman/btool/_testing.py
> > +++ b/tools/binman/btool/_testing.py
> > @@ -32,5 +32,6 @@ class Bintool_testing(bintool.Bintool):
> > return self.apt_install('package')
> > return self.fetch_from_drive('junk')
> > if method == bintool.FETCH_BUILD:
> > -return self.build_from_git('url', 'target', 'pathname')
> > +cmd = ['target']
> > +return self.build_from_git('url', cmd, 'pathname')
>
> Instead of the 'cmd' variable here, can you just put ['target'] as the
> function arg? Same below. It doesn't really add anything.
Okay. Will change.
-sughosh
>
> > return None
> > diff --git a/tools/binman/btool/fiptool.py b/tools/binman/btool/fiptool.py
> > index c80f8275c4..b275fee43b 100644
> > --- a/tools/binman/btool/fiptool.py
> > +++ b/tools/binman/btool/fiptool.py
> > @@ -107,8 +107,10 @@ class Bintoolfiptool(bintool.Bintool):
> > """
> > if method != bintool.FETCH_BUILD:
> > return None
> > +
> > +cmd = ['fiptool']
> &
Re: [PATCH v4 12/12] sandbox: capsule: Generate capsule related files through binman
hi Simon,
On Sun, 16 Jul 2023 at 05:12, Simon Glass wrote:
>
> Hi Sughosh,
>
> On Sat, 15 Jul 2023 at 07:46, Sughosh Ganu wrote:
> >
> > The EFI capsule files can now be generated as part of u-boot
> > build. This is done through binman. Add capsule entry nodes in the
> > u-boot.dtsi for the sandbox architecture for generating the
> > capsules. Remove the corresponding generation of capsules from the
> > capsule update conftest file.
> >
> > The capsules are generated through the config file for the sandbox
> > variant, and through explicit parameters for the sandbox_flattree
> > variant.
> >
> > Also generate the FIT image used for testing the capsule update
> > feature on the sandbox_flattree variant through binman. Remove the now
> > superfluous its file which was used for generating this FIT image.
> >
> > Signed-off-by: Sughosh Ganu
> > ---
> > Changes since V3:
> > * Use blob nodes instead of incbin for including the binaries in FIT
> > image.
> > * Enable generation of capsules with versioning support.
> >
> > arch/sandbox/dts/u-boot.dtsi | 265 ++
> > test/py/tests/test_efi_capsule/conftest.py| 127 -
> > .../tests/test_efi_capsule/uboot_bin_env.its | 36 ---
> > 3 files changed, 265 insertions(+), 163 deletions(-)
> > delete mode 100644 test/py/tests/test_efi_capsule/uboot_bin_env.its
> >
> > diff --git a/arch/sandbox/dts/u-boot.dtsi b/arch/sandbox/dts/u-boot.dtsi
> > index 60bd004937..7b0250ac81 100644
> > --- a/arch/sandbox/dts/u-boot.dtsi
> > +++ b/arch/sandbox/dts/u-boot.dtsi
> > @@ -13,5 +13,270 @@
> > capsule-key = /incbin/(CONFIG_EFI_CAPSULE_ESL_FILE);
> > };
> > #endif
> > +
> > + binman: binman {
> > + multiple-images;
> > + };
> > +};
> > +
> > +&binman {
> > + itb {
> > + filename = "/tmp/capsules/uboot_bin_env.itb";
> > +
> > + fit {
> > + description = "Automatic U-Boot environment update";
> > + #address-cells = <2>;
> > +
> > + images {
> > + u-boot-bin {
> > + description = "U-Boot binary on SPI
> > Flash";
> > + compression = "none";
> > + type = "firmware";
> > + arch = "sandbox";
> > + load = <0>;
> > + blob {
> > + filename =
> > "/tmp/capsules/u-boot.bin.new";
> > + };
> > +
> > + hash-1 {
> > + algo = "sha1";
> > + };
> > + };
> > + u-boot-env {
> > + description = "U-Boot environment
> > on SPI Flash";
> > + compression = "none";
> > + type = "firmware";
> > + arch = "sandbox";
> > + load = <0>;
> > + blob {
> > + filename =
> > "/tmp/capsules/u-boot.env.new";
> > + };
> > +
> > + hash-1 {
> > + algo = "sha1";
> > + };
> > + };
> > + };
> > + };
> > + };
> > +
> > +#ifdef CONFIG_EFI_USE_CAPSULE_CFG_FILE
> > + capsule1 {
> > + capsule {
> > + cfg-file = CONFIG_EFI_CAPSULE_CFG_FILE;
> > + };
> > + };
> > +#else
> > + capsule2 {
> > + capsule {
> > + image-index = <0x1>;
> > + image-type-id =
> > "09D7CF52-0720-4710-91D1-08469B7FE9C8";
>
> We seem to have a
Re: [PATCH v4 08/12] CI: capsule: Setup the files needed for capsule update testing
hi Simon,
On Sun, 16 Jul 2023 at 05:12, Simon Glass wrote:
>
> Hi,
>
> On Sat, 15 Jul 2023 at 07:46, Sughosh Ganu wrote:
> >
> > Support has being added through earlier commits to build capsules
> > and embed the public key needed for capsule authentication as part of
> > u-boot build.
> >
> > From the testing point-of-view, this means the input files needed for
> > generating the above have to be setup before invoking the build. Set
> > this up in the CI configuration files for testing the capsule update
> > feature.
> >
> > Signed-off-by: Sughosh Ganu
> > ---
> > Changes since V3:
> > * Remove whitespace in the command to generate capsule keys.
> >
> > .azure-pipelines.yml | 24
> > .gitlab-ci.yml | 22 ++
>
> Can you add this to the Dockerfile instead? It looks like this will
> run on each build.
Okay. Let me try this out.
-sughosh
>
> > 2 files changed, 46 insertions(+)
> >
> > diff --git a/.azure-pipelines.yml b/.azure-pipelines.yml
> > index 06c46b681c..d732ba443d 100644
> > --- a/.azure-pipelines.yml
> > +++ b/.azure-pipelines.yml
> > @@ -398,6 +398,17 @@ stages:
> >wget -O -
> > https://github.com/riscv-software-src/opensbi/releases/download/v1.2/opensbi-1.2-rv-bin.tar.xz
> > | tar -C /tmp -xJ;
> >export
> > OPENSBI=/tmp/opensbi-1.2-rv-bin/share/opensbi/lp64/generic/firmware/fw_dynamic.bin;
> >fi
> > + mkdir -p /tmp/capsules/;
> > + echo -n "u-boot:Old" >/tmp/capsules/u-boot.bin.old;
> > + echo -n "u-boot:New" >/tmp/capsules/u-boot.bin.new;
> > + echo -n "u-boot-env:Old" >/tmp/capsules/u-boot.env.old;
> > + echo -n "u-boot-env:New" >/tmp/capsules/u-boot.env.new;
> > + if [[ "${TEST_PY_BD}" == "sandbox" ]] || [[ "${TEST_PY_BD}" ==
> > "sandbox_flattree" ]]; then
> > + openssl req -x509 -sha256 -newkey rsa:2048 -subj
> > /CN=TEST_SIGNER/ -keyout /tmp/capsules/SIGNER.key -out
> > /tmp/capsules/SIGNER.crt -nodes -days 365;
> > + openssl req -x509 -sha256 -newkey rsa:2048 -subj
> > /CN=TEST_SIGNER/ -keyout /tmp/capsules/SIGNER2.key -out
> > /tmp/capsules/SIGNER2.crt -nodes -days 365;
> > + cert-to-efi-sig-list /tmp/capsules/SIGNER.crt
> > /tmp/capsules/SIGNER.esl;
> > + fi
> > +
> ># the below corresponds to .gitlab-ci.yml "script"
> >cd ${WORK_DIR}
> >export UBOOT_TRAVIS_BUILD_DIR=/tmp/${TEST_PY_BD};
> > @@ -582,6 +593,19 @@ stages:
> >cd ${WORK_DIR}
> ># make environment variables available as tests are running
> > inside a container
> >export BUILDMAN="${BUILDMAN}"
> > + if [[ "${BUILDMAN}" == "sandbox" ]] || [[ "${BUILDMAN}" ==
> > "sandbox x86" ]]; then
> > + if [ ! -d "/tmp/capsules/" ]; then
> > + mkdir -p /tmp/capsules/;
> > + echo -n "u-boot:Old" >/tmp/capsules/u-boot.bin.old;
> > + echo -n "u-boot:New" >/tmp/capsules/u-boot.bin.new;
> > + echo -n "u-boot-env:Old" >/tmp/capsules/u-boot.env.old;
> > + echo -n "u-boot-env:New" >/tmp/capsules/u-boot.env.new;
> > +
> > + openssl req -x509 -sha256 -newkey rsa:2048 -subj
> > /CN=TEST_SIGNER/ -keyout /tmp/capsules/SIGNER.key -out
> > /tmp/capsules/SIGNER.crt -nodes -days 365;
> > + openssl req -x509 -sha256 -newkey rsa:2048 -subj
> > /CN=TEST_SIGNER/ -keyout /tmp/capsules/SIGNER2.key -out
> > /tmp/capsules/SIGNER2.crt -nodes -days 365;
> > + cert-to-efi-sig-list /tmp/capsules/SIGNER.crt
> > /tmp/capsules/SIGNER.esl;
> > + fi
> > + fi
> >git config --global --add safe.directory ${WORK_DIR}
> >EOF
> >cat << "EOF" >> build.sh
> > diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
> > index cfd58513c3..aec6ffaf1c 100644
> > --- a/.gitlab-ci.yml
> > +++ b/.gitlab-ci.yml
> > @@ -37,6 +37,17 @@ stages:
> > export
> > OPENSBI=/tmp/opensbi-1.2-rv-bin/share/opensbi/lp64/generic/firmware/fw_dynamic.bin;
> >fi
> >
> > +- mkdir -p /tmp/capsules/;
> > +- echo -n &q
Re: [PATCH v4 06/12] binman: capsule: Add support for generating capsules
hi Simon, On Wed, 19 Jul 2023 at 06:41, Simon Glass wrote: > > Hi Sughosh, > > On Mon, 17 Jul 2023 at 04:44, Sughosh Ganu wrote: > > > > hi Simon, > > > > On Sun, 16 Jul 2023 at 05:12, Simon Glass wrote: > > > > > > Hi Sughosh, > > > > > > On Sat, 15 Jul 2023 at 07:46, Sughosh Ganu > > > wrote: > > > > > > > > Add support in binman for generating capsules. The capsule parameters > > > > can be specified either through a config file or through the capsule > > > > binman entry. Also add test cases in binman for capsule generation, > > > > and enable this testing on the sandbox_spl variant. > > > > > > Can you use sandbox instead, or perhaps sandbox_spl? SPL is really for > > > SPL testing. > > > > Er, I am actually using the sandbox_spl variant. > > > > > > > > > > > > > Signed-off-by: Sughosh Ganu > > > > --- > > > > Changes since V3: > > > > * Add test cases for covering the various capsule generation > > > > scenarios. > > > > * Add function comments in the mkeficapsule bintool. > > > > * Fix the fetch method of the mkeficapsule bintool to enable building > > > > the tool. > > > > * Add more details about the capsule parameters in the documentation > > > > as well as the code. > > > > * Fix order of module imports, and addition of blank lines in the > > > > capsule.py file. > > > > * Use SetContents in the ObtainContents method. > > > > > > > > configs/sandbox_spl_defconfig | 1 + > > > > tools/binman/btool/mkeficapsule.py| 158 ++ > > > > tools/binman/entries.rst | 37 > > > > tools/binman/etype/capsule.py | 132 +++ > > > > tools/binman/ftest.py | 127 ++ > > > > tools/binman/test/282_capsule.dts | 18 ++ > > > > tools/binman/test/283_capsule_signed.dts | 20 +++ > > > > tools/binman/test/284_capsule_conf.dts| 14 ++ > > > > tools/binman/test/285_capsule_missing_key.dts | 19 +++ > > > > .../binman/test/286_capsule_missing_index.dts | 17 ++ > > > > .../binman/test/287_capsule_missing_guid.dts | 17 ++ > > > > .../test/288_capsule_missing_payload.dts | 17 ++ > > > > tools/binman/test/289_capsule_missing.dts | 17 ++ > > > > tools/binman/test/290_capsule_version.dts | 19 +++ > > > > tools/binman/test/capsule_cfg.txt | 6 + > > > > 15 files changed, 619 insertions(+) > > > > create mode 100644 tools/binman/btool/mkeficapsule.py > > > > create mode 100644 tools/binman/etype/capsule.py > > > > create mode 100644 tools/binman/test/282_capsule.dts > > > > create mode 100644 tools/binman/test/283_capsule_signed.dts > > > > create mode 100644 tools/binman/test/284_capsule_conf.dts > > > > create mode 100644 tools/binman/test/285_capsule_missing_key.dts > > > > create mode 100644 tools/binman/test/286_capsule_missing_index.dts > > > > create mode 100644 tools/binman/test/287_capsule_missing_guid.dts > > > > create mode 100644 tools/binman/test/288_capsule_missing_payload.dts > > > > create mode 100644 tools/binman/test/289_capsule_missing.dts > > > > create mode 100644 tools/binman/test/290_capsule_version.dts > > > > create mode 100644 tools/binman/test/capsule_cfg.txt > > > > > > This looks pretty good to me. Some nits below > > > > > > > > > > > diff --git a/configs/sandbox_spl_defconfig > > > > b/configs/sandbox_spl_defconfig > > > > index dd848c57c6..2fcc789347 100644 > > > > --- a/configs/sandbox_spl_defconfig > > > > +++ b/configs/sandbox_spl_defconfig > > > > @@ -248,3 +248,4 @@ CONFIG_UNIT_TEST=y > > > > CONFIG_SPL_UNIT_TEST=y > > > > CONFIG_UT_TIME=y > > > > CONFIG_UT_DM=y > > > > +CONFIG_TOOLS_MKEFICAPSULE=y > > > > > > Why enabling this here? I don't think it is needed in sandbox_spl, but > > > in any case it should be in a different patch if needed. > > > > The binman tests run on the sandbox_spl variant. When running the > > capsule generation tests, the mkeficapsule tool should be present on > > the board variant no? > > Can we run this on the '
Re: [PATCH v4 12/12] sandbox: capsule: Generate capsule related files through binman
hi Simon,
On Wed, 19 Jul 2023 at 06:41, Simon Glass wrote:
>
> Hi Sughosh,
>
> On Mon, 17 Jul 2023 at 05:18, Sughosh Ganu wrote:
> >
> > hi Simon,
> >
> > On Sun, 16 Jul 2023 at 05:12, Simon Glass wrote:
> > >
> > > Hi Sughosh,
> > >
> > > On Sat, 15 Jul 2023 at 07:46, Sughosh Ganu
> > > wrote:
> > > >
> > > > The EFI capsule files can now be generated as part of u-boot
> > > > build. This is done through binman. Add capsule entry nodes in the
> > > > u-boot.dtsi for the sandbox architecture for generating the
> > > > capsules. Remove the corresponding generation of capsules from the
> > > > capsule update conftest file.
> > > >
> > > > The capsules are generated through the config file for the sandbox
> > > > variant, and through explicit parameters for the sandbox_flattree
> > > > variant.
> > > >
> > > > Also generate the FIT image used for testing the capsule update
> > > > feature on the sandbox_flattree variant through binman. Remove the now
> > > > superfluous its file which was used for generating this FIT image.
> > > >
> > > > Signed-off-by: Sughosh Ganu
> > > > ---
> > > > Changes since V3:
> > > > * Use blob nodes instead of incbin for including the binaries in FIT
> > > > image.
> > > > * Enable generation of capsules with versioning support.
> > > >
> > > > arch/sandbox/dts/u-boot.dtsi | 265 ++
> > > > test/py/tests/test_efi_capsule/conftest.py| 127 -
> > > > .../tests/test_efi_capsule/uboot_bin_env.its | 36 ---
> > > > 3 files changed, 265 insertions(+), 163 deletions(-)
> > > > delete mode 100644 test/py/tests/test_efi_capsule/uboot_bin_env.its
> > > >
> > > > diff --git a/arch/sandbox/dts/u-boot.dtsi b/arch/sandbox/dts/u-boot.dtsi
> > > > index 60bd004937..7b0250ac81 100644
> > > > --- a/arch/sandbox/dts/u-boot.dtsi
> > > > +++ b/arch/sandbox/dts/u-boot.dtsi
> > > > @@ -13,5 +13,270 @@
> > > > capsule-key = /incbin/(CONFIG_EFI_CAPSULE_ESL_FILE);
> > > > };
> > > > #endif
> > > > +
> > > > + binman: binman {
> > > > + multiple-images;
> > > > + };
> > > > +};
> > > > +
> > > > +&binman {
> > > > + itb {
> > > > + filename = "/tmp/capsules/uboot_bin_env.itb";
> > > > +
> > > > + fit {
> > > > + description = "Automatic U-Boot environment
> > > > update";
> > > > + #address-cells = <2>;
> > > > +
> > > > + images {
> > > > + u-boot-bin {
> > > > + description = "U-Boot binary on
> > > > SPI Flash";
> > > > + compression = "none";
> > > > + type = "firmware";
> > > > + arch = "sandbox";
> > > > + load = <0>;
> > > > + blob {
> > > > + filename =
> > > > "/tmp/capsules/u-boot.bin.new";
> > > > + };
> > > > +
> > > > + hash-1 {
> > > > + algo = "sha1";
> > > > + };
> > > > + };
> > > > + u-boot-env {
> > > > + description = "U-Boot
> > > > environment on SPI Flash";
> > > > + compression = "none";
> > > > + type = "firmware";
> > > > + arch = "sandbox";
> > > > + load = <0>;
> > > > + blob {
> > > > +
Re: [PATCH] efi_loader: Allow also empty capsule to be process
On Thu, 20 Jul 2023 at 11:37, Michal Simek wrote: > > Hi, > > On 7/20/23 07:49, AKASHI Takahiro wrote: > > Hi, > > > > On Wed, Jul 19, 2023 at 08:28:41AM +0200, Michal Simek wrote: > >> > >> > >> On 7/18/23 17:41, Heinrich Schuchardt wrote: > >>> On 13.07.23 16:35, Michal Simek wrote: > Empty capsule are also allowed to be process. Without it updated images > can't change their Image Acceptance state from no to yes. > >>> > >>> Is there any documentation describing the usage of empty capsule to set > >>> the image acceptance state? > >> > >> I actually don't know about documentation. I was talking to Ilias to make > >> sure that documentation is up2date because there are missing couple of > >> things there. > > > > Sughosh should have more to say here about A/B update. > > > >> I am testing A/B update and if you setup oemflags to 0x8000 then capsules > >> are not automatically accepted and waiting for acceptance capsule to be > >> passed. > >> When I tested it I found out that they are not process that's why I created > >> this patch. > > > > The path you tried to modify is only executed by "efidebug capsule update" > > or more specifically via the runtime service, UPDATE_CAPSULE. > > > > But this API is NOT officially supported in the current capsule > > implementation > > (at least, in my initial intention). > > The only way to invoke capsule updates is to reboot the system. > > If you want to test A/B update, please do the reboot. > > I realized that to get full flow you need to use capsule update on disk to get > all functionalities. But it is very impractical. Actually I would expect via > efidebug you should be able to perform all steps as capsule update performs > when > you do reboot. > I would also understand that via efidebug you are not able to apply any > capsule > but I don't think it is right that you can apply just update capsules but not > empty capsules. I would understand none or all but not something in the > middle. The A/B update functionality requires using the capsule-on-disk functionality for performing the updates. This is also mentioned in the fwu_updates.rst document. You should be able to apply empty capsules even with the 'efidebug disk-update' command. I have never used the 'efidebug capsule update' command, so I'm not sure if that is supported. Like Takahiro mentioned, if you place the capsules(genuine or empty) under the /EFI/UpdateCapsule/ directory, the update should happen automatically, since the fwu update feature also enables the EFI_CAPSULE_ON_DISK_EARLY config. -sughosh > > Thanks, > Michal
Re: [PATCH] efi_loader: Allow also empty capsule to be process
On Thu, 20 Jul 2023 at 13:26, Michal Simek wrote: > > > > On 7/20/23 08:36, Sughosh Ganu wrote: > > On Thu, 20 Jul 2023 at 11:37, Michal Simek wrote: > >> > >> Hi, > >> > >> On 7/20/23 07:49, AKASHI Takahiro wrote: > >>> Hi, > >>> > >>> On Wed, Jul 19, 2023 at 08:28:41AM +0200, Michal Simek wrote: > >>>> > >>>> > >>>> On 7/18/23 17:41, Heinrich Schuchardt wrote: > >>>>> On 13.07.23 16:35, Michal Simek wrote: > >>>>>> Empty capsule are also allowed to be process. Without it updated images > >>>>>> can't change their Image Acceptance state from no to yes. > >>>>> > >>>>> Is there any documentation describing the usage of empty capsule to set > >>>>> the image acceptance state? > >>>> > >>>> I actually don't know about documentation. I was talking to Ilias to make > >>>> sure that documentation is up2date because there are missing couple of > >>>> things there. > >>> > >>> Sughosh should have more to say here about A/B update. > >>> > >>>> I am testing A/B update and if you setup oemflags to 0x8000 then capsules > >>>> are not automatically accepted and waiting for acceptance capsule to be > >>>> passed. > >>>> When I tested it I found out that they are not process that's why I > >>>> created > >>>> this patch. > >>> > >>> The path you tried to modify is only executed by "efidebug capsule update" > >>> or more specifically via the runtime service, UPDATE_CAPSULE. > >>> > >>> But this API is NOT officially supported in the current capsule > >>> implementation > >>> (at least, in my initial intention). > >>> The only way to invoke capsule updates is to reboot the system. > >>> If you want to test A/B update, please do the reboot. > >> > >> I realized that to get full flow you need to use capsule update on disk to > >> get > >> all functionalities. But it is very impractical. Actually I would expect > >> via > >> efidebug you should be able to perform all steps as capsule update > >> performs when > >> you do reboot. > >> I would also understand that via efidebug you are not able to apply any > >> capsule > >> but I don't think it is right that you can apply just update capsules but > >> not > >> empty capsules. I would understand none or all but not something in the > >> middle. > > > > The A/B update functionality requires using the capsule-on-disk > > functionality for performing the updates. This is also mentioned in > > the fwu_updates.rst document. You should be able to apply empty > > capsules even with the 'efidebug disk-update' command. > > Yes this is working fine. > > ZynqMP> efidebug capsule disk-update > # > Applying capsule capsule1.bin succeeded. > # > Applying capsule capsule2.bin succeeded. > Reboot after firmware update. > > I tested it also with empty capsules which are also process properly. > > > I have never > > used the 'efidebug capsule update' command, so I'm not sure if that is > > supported. Like Takahiro mentioned, if you place the capsules(genuine > > or empty) under the /EFI/UpdateCapsule/ directory, the update should > > happen automatically, since the fwu update feature also enables the > > EFI_CAPSULE_ON_DISK_EARLY config. > > Yes that's work fine on production systems. > But from my point of view there shouldn't be really a problem to also apply > empty capsule via efidebug capsule update to be able to see that steps and > changes in mdata structure without performing reset. The 'efidebug capsule update' command calls the efi_update_capsule function, which implements the UpdateCapsule runtime service call. The initial versions of my fwu patches were indeed adding support for this path, but one of the review comments was to restrict support only for the capsule-on-disk path when performing the update in u-boot, since we are not using the runtime call in u-boot. -sughosh > > Again I have no issue with code which is using capsule-on-disk feature but I > think that pretty much all these steps which are done automatically should be > possible to do through steps to see them. That's what you can do with bootm > start and simply stepping through it. > > I am testing 2 ima
Re: [PATCH v4 06/12] binman: capsule: Add support for generating capsules
hi Simon, On Thu, 20 Jul 2023 at 00:41, Simon Glass wrote: > > Hi Sughosh, > > On Wed, 19 Jul 2023 at 02:42, Sughosh Ganu wrote: > > > > hi Simon, > > > > On Wed, 19 Jul 2023 at 06:41, Simon Glass wrote: > > > > > > Hi Sughosh, > > > > > > On Mon, 17 Jul 2023 at 04:44, Sughosh Ganu > > > wrote: > > > > > > > > hi Simon, > > > > > > > > On Sun, 16 Jul 2023 at 05:12, Simon Glass wrote: > > > > > > > > > > Hi Sughosh, > > > > > > > > > > On Sat, 15 Jul 2023 at 07:46, Sughosh Ganu > > > > > wrote: > > > > > > > > > > > > Add support in binman for generating capsules. The capsule > > > > > > parameters > > > > > > can be specified either through a config file or through the capsule > > > > > > binman entry. Also add test cases in binman for capsule generation, > > > > > > and enable this testing on the sandbox_spl variant. > > > > > > > > > > Can you use sandbox instead, or perhaps sandbox_spl? SPL is really for > > > > > SPL testing. > > > > > > > > Er, I am actually using the sandbox_spl variant. > > > > > > > > > > > > > > > > > > > > > Signed-off-by: Sughosh Ganu > > > > > > --- > > > > > > Changes since V3: > > > > > > * Add test cases for covering the various capsule generation > > > > > > scenarios. > > > > > > * Add function comments in the mkeficapsule bintool. > > > > > > * Fix the fetch method of the mkeficapsule bintool to enable > > > > > > building > > > > > > the tool. > > > > > > * Add more details about the capsule parameters in the documentation > > > > > > as well as the code. > > > > > > * Fix order of module imports, and addition of blank lines in the > > > > > > capsule.py file. > > > > > > * Use SetContents in the ObtainContents method. > > > > > > > > > > > > configs/sandbox_spl_defconfig | 1 + > > > > > > tools/binman/btool/mkeficapsule.py| 158 > > > > > > ++ > > > > > > tools/binman/entries.rst | 37 > > > > > > tools/binman/etype/capsule.py | 132 +++ > > > > > > tools/binman/ftest.py | 127 ++ > > > > > > tools/binman/test/282_capsule.dts | 18 ++ > > > > > > tools/binman/test/283_capsule_signed.dts | 20 +++ > > > > > > tools/binman/test/284_capsule_conf.dts| 14 ++ > > > > > > tools/binman/test/285_capsule_missing_key.dts | 19 +++ > > > > > > .../binman/test/286_capsule_missing_index.dts | 17 ++ > > > > > > .../binman/test/287_capsule_missing_guid.dts | 17 ++ > > > > > > .../test/288_capsule_missing_payload.dts | 17 ++ > > > > > > tools/binman/test/289_capsule_missing.dts | 17 ++ > > > > > > tools/binman/test/290_capsule_version.dts | 19 +++ > > > > > > tools/binman/test/capsule_cfg.txt | 6 + > > > > > > 15 files changed, 619 insertions(+) > > > > > > create mode 100644 tools/binman/btool/mkeficapsule.py > > > > > > create mode 100644 tools/binman/etype/capsule.py > > > > > > create mode 100644 tools/binman/test/282_capsule.dts > > > > > > create mode 100644 tools/binman/test/283_capsule_signed.dts > > > > > > create mode 100644 tools/binman/test/284_capsule_conf.dts > > > > > > create mode 100644 tools/binman/test/285_capsule_missing_key.dts > > > > > > create mode 100644 tools/binman/test/286_capsule_missing_index.dts > > > > > > create mode 100644 tools/binman/test/287_capsule_missing_guid.dts > > > > > > create mode 100644 > > > > > > tools/binman/test/288_capsule_missing_payload.dts > > > > > > create mode 100644 tools/binman/test/289_capsule_missing.dts > > > > > > create mode 100644 tools/binman/test/290_capsule_version.dts > > > > > > create mode 100644 tools/binman/test/capsule_cfg.txt > > > > > > >
Re: [PATCH] efi_loader: Allow also empty capsule to be process
On Thu, 20 Jul 2023 at 14:56, Michal Simek wrote: > > > > On 7/20/23 10:45, Sughosh Ganu wrote: > > On Thu, 20 Jul 2023 at 13:26, Michal Simek wrote: > >> > >> > >> > >> On 7/20/23 08:36, Sughosh Ganu wrote: > >>> On Thu, 20 Jul 2023 at 11:37, Michal Simek wrote: > >>>> > >>>> Hi, > >>>> > >>>> On 7/20/23 07:49, AKASHI Takahiro wrote: > >>>>> Hi, > >>>>> > >>>>> On Wed, Jul 19, 2023 at 08:28:41AM +0200, Michal Simek wrote: > >>>>>> > >>>>>> > >>>>>> On 7/18/23 17:41, Heinrich Schuchardt wrote: > >>>>>>> On 13.07.23 16:35, Michal Simek wrote: > >>>>>>>> Empty capsule are also allowed to be process. Without it updated > >>>>>>>> images > >>>>>>>> can't change their Image Acceptance state from no to yes. > >>>>>>> > >>>>>>> Is there any documentation describing the usage of empty capsule to > >>>>>>> set > >>>>>>> the image acceptance state? > >>>>>> > >>>>>> I actually don't know about documentation. I was talking to Ilias to > >>>>>> make > >>>>>> sure that documentation is up2date because there are missing couple of > >>>>>> things there. > >>>>> > >>>>> Sughosh should have more to say here about A/B update. > >>>>> > >>>>>> I am testing A/B update and if you setup oemflags to 0x8000 then > >>>>>> capsules > >>>>>> are not automatically accepted and waiting for acceptance capsule to be > >>>>>> passed. > >>>>>> When I tested it I found out that they are not process that's why I > >>>>>> created > >>>>>> this patch. > >>>>> > >>>>> The path you tried to modify is only executed by "efidebug capsule > >>>>> update" > >>>>> or more specifically via the runtime service, UPDATE_CAPSULE. > >>>>> > >>>>> But this API is NOT officially supported in the current capsule > >>>>> implementation > >>>>> (at least, in my initial intention). > >>>>> The only way to invoke capsule updates is to reboot the system. > >>>>> If you want to test A/B update, please do the reboot. > >>>> > >>>> I realized that to get full flow you need to use capsule update on disk > >>>> to get > >>>> all functionalities. But it is very impractical. Actually I would expect > >>>> via > >>>> efidebug you should be able to perform all steps as capsule update > >>>> performs when > >>>> you do reboot. > >>>> I would also understand that via efidebug you are not able to apply any > >>>> capsule > >>>> but I don't think it is right that you can apply just update capsules > >>>> but not > >>>> empty capsules. I would understand none or all but not something in the > >>>> middle. > >>> > >>> The A/B update functionality requires using the capsule-on-disk > >>> functionality for performing the updates. This is also mentioned in > >>> the fwu_updates.rst document. You should be able to apply empty > >>> capsules even with the 'efidebug disk-update' command. > >> > >> Yes this is working fine. > >> > >> ZynqMP> efidebug capsule disk-update > >> # > >> Applying capsule capsule1.bin succeeded. > >> # > >> Applying capsule capsule2.bin succeeded. > >> Reboot after firmware update. > >> > >> I tested it also with empty capsules which are also process properly. > >> > >>> I have never > >>> used the 'efidebug capsule update' command, so I'm not sure if that is > >>> supported. Like Takahiro mentioned, if you place the capsules(genuine > >>> or empty) under the /EFI/UpdateCapsule/ directory, the update should > >>> happen automatically, since the fwu update feature also enables the > >>> EFI_CAPSULE_ON_DISK_EARLY config. > >> > >> Yes that's work fine on production systems. > >> But from my point of view there shouldn't be really a problem to also apply > >> empty capsule via efidebug capsule update to be able to see that steps and > >> changes in mdata structure without performing reset. > > > > The 'efidebug capsule update' command calls the efi_update_capsule > > function, which implements the UpdateCapsule runtime service call. The > > initial versions of my fwu patches were indeed adding support for this > > path, but one of the review comments was to restrict support only for > > the capsule-on-disk path when performing the update in u-boot, since > > we are not using the runtime call in u-boot. > > I don't think this is a valid argument. As I said I would understand if there > is > no interface for any capsule. It means having support for both or none is IMHO > the way we should support. > Can you please point me to that discussion? There is mention of the point in this discussion [1]. Even this thread has Takahiro mention the point he is making above, that maybe there shouldn't be the efi_update_capsule function. -sughosh [1] - https://lists.denx.de/pipermail/u-boot/2022-February/473891.html
[PATCH v5 02/12] nuvoton: npcm845-evb: Add a newline at the end of file
Add a newline at the end of the dts, without which the build fails when including the u-boot.dtsi file. Signed-off-by: Sughosh Ganu Reviewed-by: Simon Glass --- Changes since V4: None arch/arm/dts/nuvoton-npcm845-evb.dts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/arm/dts/nuvoton-npcm845-evb.dts b/arch/arm/dts/nuvoton-npcm845-evb.dts index 3cab7807e3..a93666cb41 100644 --- a/arch/arm/dts/nuvoton-npcm845-evb.dts +++ b/arch/arm/dts/nuvoton-npcm845-evb.dts @@ -354,4 +354,4 @@ &r1en_pins &r1oen_pins >; -}; \ No newline at end of file +}; -- 2.34.1
[PATCH v5 03/12] capsule: authenticate: Add capsule public key in platform's dtb
The EFI capsule authentication logic in u-boot expects the public key
in the form of an EFI Signature List(ESL) to be provided as part of
the platform's dtb. Currently, the embedding of the ESL file into the
dtb needs to be done manually.
Add a signature node in the u-boot dtsi file and include the public
key through the capsule-key property. This file is per architecture,
and is currently being added for sandbox and arm architectures. It
will have to be added for other architectures which need to enable
capsule authentication support.
The path to the ESL file is specified through the
CONFIG_EFI_CAPSULE_ESL_FILE symbol.
Signed-off-by: Sughosh Ganu
---
Changes since V4:
* Fix multi line comment format.
* Drop additional blank line.
* Remove the check for CONFIG_EFI_HAVE_CAPSULE_SUPPORT from arm's
u-boot.dtsi.
* Wrap the help text in the EFI_CAPSULE_ESL_FILE config at 72 chars.
arch/arm/dts/u-boot.dtsi | 14 ++
arch/sandbox/dts/u-boot.dtsi | 17 +
lib/efi_loader/Kconfig | 9 +
lib/efi_loader/Makefile | 7 +++
4 files changed, 47 insertions(+)
create mode 100644 arch/arm/dts/u-boot.dtsi
create mode 100644 arch/sandbox/dts/u-boot.dtsi
diff --git a/arch/arm/dts/u-boot.dtsi b/arch/arm/dts/u-boot.dtsi
new file mode 100644
index 00..4f31da4521
--- /dev/null
+++ b/arch/arm/dts/u-boot.dtsi
@@ -0,0 +1,14 @@
+// SPDX-License-Identifier: GPL-2.0+
+/**
+ * Devicetree file with miscellaneous nodes that will be included
+ * at build time into the DTB. Currently being used for including
+ * capsule related information.
+ */
+
+#ifdef CONFIG_EFI_CAPSULE_AUTHENTICATE
+/ {
+ signature {
+ capsule-key = /incbin/(CONFIG_EFI_CAPSULE_ESL_FILE);
+ };
+};
+#endif /* CONFIG_EFI_CAPSULE_AUTHENTICATE */
diff --git a/arch/sandbox/dts/u-boot.dtsi b/arch/sandbox/dts/u-boot.dtsi
new file mode 100644
index 00..60bd004937
--- /dev/null
+++ b/arch/sandbox/dts/u-boot.dtsi
@@ -0,0 +1,17 @@
+// SPDX-License-Identifier: GPL-2.0+
+/*
+ * Devicetree file with miscellaneous nodes that will be included
+ * at build time into the DTB. Currently being used for including
+ * capsule related information.
+ *
+ */
+
+#ifdef CONFIG_EFI_HAVE_CAPSULE_SUPPORT
+/ {
+#ifdef CONFIG_EFI_CAPSULE_AUTHENTICATE
+ signature {
+ capsule-key = /incbin/(CONFIG_EFI_CAPSULE_ESL_FILE);
+ };
+#endif
+};
+#endif /* CONFIG_EFI_HAVE_CAPSULE_SUPPORT */
diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig
index a22e47616f..0d559ff3a1 100644
--- a/lib/efi_loader/Kconfig
+++ b/lib/efi_loader/Kconfig
@@ -235,6 +235,15 @@ config EFI_CAPSULE_MAX
Select the max capsule index value used for capsule report
variables. This value is used to create CapsuleMax variable.
+config EFI_CAPSULE_ESL_FILE
+ string "Path to the EFI Signature List File"
+ default ""
+ depends on EFI_CAPSULE_AUTHENTICATE
+ help
+ Provides the absolute path to the EFI Signature List file which
+ will be embedded in the platform's device tree and used for
+ capsule authentication at the time of capsule update.
+
config EFI_DEVICE_PATH_TO_TEXT
bool "Device path to text protocol"
default y
diff --git a/lib/efi_loader/Makefile b/lib/efi_loader/Makefile
index 1a8c8d7cab..c52c9d27bd 100644
--- a/lib/efi_loader/Makefile
+++ b/lib/efi_loader/Makefile
@@ -89,3 +89,10 @@ obj-$(CONFIG_EFI_ECPT) += efi_conformance.o
EFI_VAR_SEED_FILE := $(subst $\",,$(CONFIG_EFI_VAR_SEED_FILE))
$(obj)/efi_var_seed.o: $(srctree)/$(EFI_VAR_SEED_FILE)
+
+ifeq ($(CONFIG_EFI_CAPSULE_AUTHENTICATE),y)
+EFI_CAPSULE_KEY_PATH := $(subst $\",,$(CONFIG_EFI_CAPSULE_ESL_FILE))
+ifeq ("$(wildcard $(EFI_CAPSULE_KEY_PATH))","")
+$(error .esl cerificate not found. Configure your CONFIG_EFI_CAPSULE_ESL_FILE)
+endif
+endif
--
2.34.1
[PATCH v5 04/12] doc: capsule: Document the new mechanism to embed ESL file into dtb
Update the document to specify how the EFI Signature List(ESL) file
can be embedded into the platform's dtb as part of the u-boot build.
Signed-off-by: Sughosh Ganu
Reviewed-by: Simon Glass
---
Changes since V4: None
doc/develop/uefi/uefi.rst | 22 +-
1 file changed, 9 insertions(+), 13 deletions(-)
diff --git a/doc/develop/uefi/uefi.rst b/doc/develop/uefi/uefi.rst
index a7a41f2fac..b2854b52a6 100644
--- a/doc/develop/uefi/uefi.rst
+++ b/doc/develop/uefi/uefi.rst
@@ -522,20 +522,16 @@ and used by the steps highlighted below.
...
}
-You can do step-4 manually with
+You can perform step-4 by defining the Kconfig symbol
+CONFIG_EFI_CAPSULE_ESL_FILE. Once this has been done, the signature
+node can be added to the u-boot.dtsi file. For reference, check the
+u-boot.dtsi file for the sandbox architecture. If this node has not
+been added to the architecture's u-boot.dtsi file, this needs to be
+done. The node has currently been added for the sandbox and arm
+architectures' in the u-boot.dtsi file. Once the u-boot.dtsi file has
+been added with the signature node, the esl file will automatically
+get embedded into the platform's dtb as part of u-boot build.
-.. code-block:: console
-
-$ dtc -@ -I dts -O dtb -o signature.dtbo signature.dts
-$ fdtoverlay -i orig.dtb -o new.dtb -v signature.dtbo
-
-where signature.dts looks like::
-
-&{/} {
-signature {
-capsule-key = /incbin/("CRT.esl");
-};
-};
Anti-rollback Protection
--
2.34.1
[PATCH v5 00/12] Integrate EFI capsule tasks into u-boot's build flow
This patchset aims to bring two capsule related tasks under the u-boot build flow. One is the embedding of the public key into the platform's dtb. The public key is in the form of an EFI Signature List(ESL) file and is used for capsule authentication. This is being achieved by adding the signature node containing the capsule public key in the architecture's u-boot.dtsi file. Currently, the u-boot.dtsi file has been added for the sandbox and arm architectures. The path to the ESL file is being provided through a Kconfig symbol(CONFIG_EFI_CAPSULE_ESL_FILE). Changes have also been made to the test flow so that the keys used for signing the capsule, and the ESL file, are generated prior to invoking the u-boot's build, which enables embedding the ESL file into the dtb as part of the u-boot build. The other task is related to generation of capsules. Support is being added to generate capsules by specifying the capsule parameters in a config file. Calling the mkeficapsule tool then results in generation of the corresponding capsule files. The capsules can be generated as part of u-boot build, and this is being achieved through binman, by adding a capsule entry type. The capsules can be generated either by specifying the capsule parameters in a config file, or through specifying them as properties under the capsule entry node. If using the config file, the path to the config file is to be specified through a Kconfig symbol(CONFIG_EFI_CAPSULE_CFG_FILE). Changes have also been made to the efi capsule update feature testing setup on the sandbox variants. Currently, the capsule files and the public key ESL file are generated after u-boot has been built. This logic has been changed so that the capsule input files along with the keys needed for capsule signing and authentication are generated prior to initiation of the u-boot build. The placement of all the files needed for generation of capsules, along with the generated capsule files is under the /tmp/capsules/ directory. Currently, the capsule update feature is tested on the sandbox and sandbox_flattree variants in CI. The capsule generation through config file is enabled for the sandbox variant, with the sandbox_flattree variant generating capsules through the command-line parameters. The document has been updated to reflect the above changes. Changes since V4: * Rebase on top of current HEAD. * Pass the single command target names directly to the function instead of putting them in a separate list. * Fix multi line comment format. * Drop additional blank line. * Remove the check for CONFIG_EFI_HAVE_CAPSULE_SUPPORT from arm's u-boot.dtsi. * Wrap the help text in the EFI_CAPSULE_ESL_FILE config at 72 chars. * New patch which moves the setting up of the files needed for testing the EFI capsule update feature to the Dockerfile. * Remove blank lines after function comments. * Fix a couple of typos. * Use single quotes for strings. * Put the GUIDs in variables with relevant names. * Declare certain values in local variables instead of member values. * Add comments for explaning the payload offsets in the capsule file. * Drop the test case for generating the capsule from the config file. * Define payload data for the capsule tests. * Add logic to find input and output files in capsule generation in the indir and outdir directories when absolute path is not passed. * Use a relative path for CONFIG_EFI_CAPSULE_CFG_FILE. * Remove logic to copy capsule config file to /tmp/capsules/ directory, as the capsule entry can handle relative paths. * Add a comment in the capsule config file for the image GUIDs being used. * Use lower case for image GUIDs. * Define macros for the image GUIDs being used for generating the capsules. * Use lower case for image GUIDs. Sughosh Ganu (12): binman: bintool: Build a tool from a list of commands nuvoton: npcm845-evb: Add a newline at the end of file capsule: authenticate: Add capsule public key in platform's dtb doc: capsule: Document the new mechanism to embed ESL file into dtb tools: mkeficapsule: Add support for parsing capsule params from config file Dockerfile: capsule: Setup the files needed for capsule update testing binman: capsule: Add support for generating capsules doc: Add documentation to highlight capsule generation related updates test: py: Setup capsule files for testing test: capsule: Remove public key embed logic from capsule update test sandbox: capsule: Add a config file for generating capsules sandbox: capsule: Generate capsule related files through binman arch/arm/dts/nuvoton-npcm845-evb.dts | 2 +- arch/arm/dts/u-boot.dtsi | 14 + arch/sandbox/dts/u-boot.dtsi | 288 ++ configs/sandbox_defconfig | 3 + configs/sandbox_flattree_defconfig| 1 + configs/sandbox_spl_defconfig | 1 + doc/develop/uefi/uefi.rst | 1
[PATCH v5 01/12] binman: bintool: Build a tool from a list of commands
Add support to build a tool from source with a list of commands. This
is useful when a tool can be built with multiple commands instead of a
single command.
Signed-off-by: Sughosh Ganu
---
Changes since V4:
* Pass the single command target names directly to the function
instead of putting them in a separate list.
tools/binman/bintool.py | 19 +++
1 file changed, 11 insertions(+), 8 deletions(-)
diff --git a/tools/binman/bintool.py b/tools/binman/bintool.py
index 0b0f56dbbb..3c4ad1adbb 100644
--- a/tools/binman/bintool.py
+++ b/tools/binman/bintool.py
@@ -328,7 +328,7 @@ class Bintool:
return result.stdout
@classmethod
-def build_from_git(cls, git_repo, make_target, bintool_path, flags=None):
+def build_from_git(cls, git_repo, make_targets, bintool_path, flags=None):
"""Build a bintool from a git repo
This clones the repo in a temporary directory, builds it with 'make',
@@ -336,7 +336,8 @@ class Bintool:
Args:
git_repo (str): URL of git repo
-make_target (str): Target to pass to 'make' to build the tool
+make_targets (list of str): List of targets to pass to 'make' to
build
+the tool
bintool_path (str): Relative path of the tool in the repo, after
build is complete
flags (list of str): Flags or variables to pass to make, or None
@@ -350,12 +351,14 @@ class Bintool:
tmpdir = tempfile.mkdtemp(prefix='binmanf.')
print(f"- clone git repo '{git_repo}' to '{tmpdir}'")
tools.run('git', 'clone', '--depth', '1', git_repo, tmpdir)
-print(f"- build target '{make_target}'")
-cmd = ['make', '-C', tmpdir, '-j', f'{multiprocessing.cpu_count()}',
- make_target]
-if flags:
-cmd += flags
-tools.run(*cmd)
+for target in make_targets:
+print(f"- build target '{target}'")
+cmd = ['make', '-C', tmpdir, '-j',
f'{multiprocessing.cpu_count()}',
+ target]
+if flags:
+cmd += flags
+tools.run(*cmd)
+
fname = os.path.join(tmpdir, bintool_path)
if not os.path.exists(fname):
print(f"- File '{fname}' was not produced")
--
2.34.1
[PATCH v5 06/12] Dockerfile: capsule: Setup the files needed for capsule update testing
Support has being added through earlier commits to build capsules and embed the public key needed for capsule authentication as part of u-boot build. >From the testing point-of-view, this means the input files needed for generating the above have to be setup before invoking the build. Set this up in the CI configuration docker file for testing the capsule update feature. Signed-off-by: Sughosh Ganu --- Changes since V4: * New patch which moves the setting up of the files needed for testing the EFI capsule update feature to the Dockerfile. Note: Earlier, this setup was being done in the azure and gitlab yaml files. Now that this has been moved to the Dockerfile, this will require generating a new container image and referencing that image in the yaml files for the CI to work when these patches get applied. tools/docker/Dockerfile | 12 1 file changed, 12 insertions(+) diff --git a/tools/docker/Dockerfile b/tools/docker/Dockerfile index 3d2b64a355..294a0b0a53 100644 --- a/tools/docker/Dockerfile +++ b/tools/docker/Dockerfile @@ -206,6 +206,18 @@ RUN mkdir -p /opt/nokia && \ cp /tmp/qemu-linaro/arm-softmmu/qemu-system-arm /opt/nokia && \ rm -rf /tmp/qemu-linaro +# Set up capsule files for UEFI capsule update testing +RUN mkdir -p /tmp/capsules && \ +cd /tmp/capsules/ && \ +echo -n "u-boot:Old" > u-boot.bin.old && \ +echo -n "u-boot:New" > u-boot.bin.new && \ +echo -n "u-boot-env:Old" > u-boot.env.old && \ +echo -n "u-boot-env:New" > u-boot.env.new && \ +openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/ -keyout SIGNER.key -out SIGNER.crt -nodes -days 365 && \ +openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/ -keyout SIGNER2.key -out SIGNER2.crt -nodes -days 365 && \ +cert-to-efi-sig-list SIGNER.crt SIGNER.esl && \ +chmod -R uog+rw /tmp/capsules/ + # Build genimage (required by some targets to generate disk images) RUN wget -O - https://github.com/pengutronix/genimage/releases/download/v14/genimage-14.tar.xz | tar -C /tmp -xJ && \ cd /tmp/genimage-14 && \ -- 2.34.1
[PATCH v5 08/12] doc: Add documentation to highlight capsule generation related updates
The UEFI capsule can now be generate by specifying the capsule
parameters through a config file. Additionally, the capsules can be
generated as part of u-boot build, through binman. Highlight these
changes in the documentation.
Signed-off-by: Sughosh Ganu
---
Changes since V4: None
doc/develop/uefi/uefi.rst | 84 +++
1 file changed, 84 insertions(+)
diff --git a/doc/develop/uefi/uefi.rst b/doc/develop/uefi/uefi.rst
index b2854b52a6..29955d943e 100644
--- a/doc/develop/uefi/uefi.rst
+++ b/doc/develop/uefi/uefi.rst
@@ -318,6 +318,79 @@ Run the following command
--guid \
+Alternatively, the capsules can be generated through a config
+file. When generating the capsules through a config file, the Kconfig
+symbol CONFIG_EFI_CAPSULE_CFG_FILE is to be used for specifying the
+path to the config file.
+
+The config file describes the parameters that are used for generating
+one or more capsules. The parameters for a given capsule file are
+specified within curly braces, in the form of "key:value" pairs. All
+the parameters that are currently supported by the mkeficapsule tool
+can be specified through the config file.
+
+The following are some example payload parameters specified through
+the config file.
+
+.. code-block:: none
+
+ {
+ image-guid: 02f4d760-cfd5-43bd-8e2d-a42acb33c660
+ hardware-instance: 0
+ monotonic-count: 1
+ payload: u-boot.bin
+ image-index: 1
+ fw-version: 2
+ private-key: /path/to/priv/key
+ pub-key-cert: /path/to/pub/key
+ capsule: u-boot.capsule
+ }
+ {
+ image-guid: 4ce292da-1dd8-428d-a1c2-77743ef8b96e
+ hardware-instance: 0
+ payload: u-boot.itb
+ image-index: 2
+ fw-version: 7
+ oemflags: 0x8000
+ capsule: fit.capsule
+ }
+ {
+ capsule-type: accept
+ image-guid: 4ce292da-1dd8-428d-a1c2-77743ef8b96e
+ capsule: accept.capsule
+ }
+ {
+ capsule-type: revert
+ capsule: revert.capsule
+ }
+
+The following are the keys that specify the capsule parameters
+
+..code-block:: none
+
+image-guid: Image GUID
+image-index: Image index value
+fw-version: Image version
+private-key: Path to the private key file used for capsule signing
+pub-key-cert: Path to the public key crt file used for capsule signing
+payload: Path to the capsule payload file
+capsule: Path to the output capsule file that is generated
+hardware-instance: Hardware Instance value
+monotonic-count: Monotonic count value
+capsule-type: Specifies capsule type. normal(default), accept or revert
+oemflags: 16bit Oemflags value to be used(populated in capsule header)
+
+When generating capsules through a config file, the command would look
+like
+
+.. code-block:: console
+
+$ mkeficapsule --cfg-file
+
+
+Capsule with firmware version
+*
+
The UEFI specification does not define the firmware versioning mechanism.
EDK II reference implementation inserts the FMP Payload Header right before
the payload. It coutains the fw_version and lowest supported version,
@@ -345,6 +418,17 @@ add --fw-version option in mkeficapsule tool.
If the --fw-version option is not set, FMP Payload Header is not inserted
and fw_version is set as 0.
+
+Capsule Generation through binman
+*
+
+Support has also been added to generate capsules during u-boot build
+through binman. This requires the platform's DTB to be populated with
+the capsule entry nodes for binman. The capsules then can be generated
+by specifying the capsule parameters either through a config file, or
+by specifying them as properties in the capsule entry node.
+
+
Performing the update
*
--
2.34.1
[PATCH v5 05/12] tools: mkeficapsule: Add support for parsing capsule params from config file
Add support for specifying the parameters needed for capsule
generation through a config file, instead of passing them through
command-line. Parameters for more than a single capsule file can be
specified, resulting in generation of multiple capsules through a
single invocation of the command.
This path is to be used for generating capsules through a make target,
with the parameters being parsed from the config file.
Signed-off-by: Sughosh Ganu
---
Changes since V4: None
tools/Kconfig | 16 ++
tools/Makefile | 1 +
tools/eficapsule.h | 115
tools/mkeficapsule.c | 87 +
tools/mkeficapsule_parse.c | 352 +
5 files changed, 540 insertions(+), 31 deletions(-)
create mode 100644 tools/mkeficapsule_parse.c
diff --git a/tools/Kconfig b/tools/Kconfig
index 6e23f44d55..88ea3567d0 100644
--- a/tools/Kconfig
+++ b/tools/Kconfig
@@ -98,6 +98,22 @@ config TOOLS_MKEFICAPSULE
optionally sign that file. If you want to enable UEFI capsule
update feature on your target, you certainly need this.
+config EFI_CAPSULE_CFG_FILE
+ string "Path to the EFI Capsule Config File"
+ default ""
+ help
+ Path to the EFI capsule config file which provides the
+ parameters needed to build capsule(s). Parameters can be
+ provided for multiple payloads resulting in corresponding
+ capsule images being generated.
+
+config EFI_USE_CAPSULE_CFG_FILE
+ bool "Use the config file for generating capsules"
+ help
+ Boolean option used to specify if the EFI capsules are to
+ be generated through parameters specified via the config
+ file or through command line.
+
menuconfig FSPI_CONF_HEADER
bool "FlexSPI Header Configuration"
help
diff --git a/tools/Makefile b/tools/Makefile
index 3d0c4b0dd6..eb129e3bb2 100644
--- a/tools/Makefile
+++ b/tools/Makefile
@@ -250,6 +250,7 @@ HOSTLDLIBS_mkeficapsule += \
HOSTLDLIBS_mkeficapsule += \
$(shell pkg-config --libs uuid 2> /dev/null || echo "-luuid")
hostprogs-$(CONFIG_TOOLS_MKEFICAPSULE) += mkeficapsule
+mkeficapsule-objs := mkeficapsule.o mkeficapsule_parse.o
mkfwumdata-objs := mkfwumdata.o generated/lib/crc32.o
HOSTLDLIBS_mkfwumdata += -luuid
diff --git a/tools/eficapsule.h b/tools/eficapsule.h
index 2099a2e9b8..d455ac1d6f 100644
--- a/tools/eficapsule.h
+++ b/tools/eficapsule.h
@@ -52,6 +52,12 @@ typedef struct {
/* flags */
#define CAPSULE_FLAGS_PERSIST_ACROSS_RESET 0x0001
+enum capsule_type {
+ CAPSULE_NORMAL_BLOB = 0,
+ CAPSULE_ACCEPT,
+ CAPSULE_REVERT,
+};
+
struct efi_capsule_header {
efi_guid_t capsule_guid;
uint32_t header_size;
@@ -113,6 +119,7 @@ struct efi_firmware_image_authentication {
struct win_certificate_uefi_guid auth_info;
} __packed;
+
/* fmp payload header */
#define SIGNATURE_16(A, B) ((A) | ((B) << 8))
#define SIGNATURE_32(A, B, C, D) \
@@ -143,4 +150,112 @@ struct fmp_payload_header_params {
uint32_t fw_version;
};
+/**
+ * struct efi_capsule_params - Capsule parameters
+ * @image_guid: Guid value of the payload input image
+ * @image_index: Image index value
+ * @hardware_instance: Hardware instance to be used for the image
+ * @fmp: FMP payload header used for storing firmware version
+ * @monotonic_count: Monotonic count value to be used for signed capsule
+ * @privkey_file: Path to private key used in capsule signing
+ * @cert_file: Path to public key certificate used in capsule signing
+ * @input_file: Path to payload input image
+ * @capsule_file: Path to the output capsule file
+ * @oemflags: Oemflags to be populated in the capsule header
+ * @capsule: Capsule Type, normal or accept or revert
+ */
+struct efi_capsule_params {
+ efi_guid_t *image_guid;
+ unsigned long image_index;
+ unsigned long hardware_instance;
+ struct fmp_payload_header_params fmp;
+ uint64_t monotonic_count;
+ char *privkey_file;
+ char *cert_file;
+ char *input_file;
+ char *capsule_file;
+ unsigned long oemflags;
+ enum capsule_type capsule;
+};
+
+/**
+ * capsule_with_cfg_file() - Generate capsule from config file
+ * @cfg_file: Path to the config file
+ *
+ * Parse the capsule parameters from the config file and use the
+ * parameters for generating one or more capsules.
+ *
+ * Return: None
+ *
+ */
+void capsule_with_cfg_file(const char *cfg_file);
+
+/**
+ * convert_uuid_to_guid() - convert UUID to GUID
+ * @buf: UUID binary
+ *
+ * UUID and GUID have the same data structure, but their binary
+ * formats are different due to the endianness. See lib/uuid.c.
+ * Since uuid_parse() can handle only UUID, this function must
+ * be called to get correct data for GUID when parsing a string.
+ *
+ * The correct data will be returned
[PATCH v5 09/12] test: py: Setup capsule files for testing
Support has being added through earlier commits to build capsules and
embed the public key needed for capsule authentication as part of
u-boot build.
>From the testing point-of-view, this means the input files needed for
the above have to be setup before invoking the build. Set this up in
the pytest configuration file for testing the capsule update feature.
Signed-off-by: Sughosh Ganu
Reviewed-by: Simon Glass
---
Changes since V4: None
test/py/conftest.py | 84 +
1 file changed, 84 insertions(+)
diff --git a/test/py/conftest.py b/test/py/conftest.py
index fc9dd3a83f..1092cb713b 100644
--- a/test/py/conftest.py
+++ b/test/py/conftest.py
@@ -80,6 +80,86 @@ def pytest_addoption(parser):
help='Run sandbox under gdbserver. The argument is the channel '+
'over which gdbserver should communicate, e.g. localhost:1234')
+def setup_capsule_build(source_dir, build_dir, board_type, log):
+"""Setup the platform's build for testing capsule updates
+
+This generates the payload/input files needed for testing the
+capsule update functionality, along with the keys for signing
+the capsules. An EFI Signature List(ESL) file, which houses the
+public key for capsule authentication is generated as
+well.
+
+The ESL file is subsequently embedded into the platform's
+dtb during the u-boot build, to be used for capsule
+authentication.
+
+Two sets of keys are generated, namely SIGNER and SIGNER2.
+The SIGNER2 key pair is used as a malicious key for testing the
+the capsule authentication functionality.
+
+All the generated files are placed under the /tmp/capsules/
+directory.
+
+Args:
+soruce_dir (str): Directory containing source code
+build_dir (str): Directory to build in
+board_type (str): board_type parameter (e.g. 'sandbox')
+log (Logfile): Log file to use
+
+Returns:
+Nothing.
+"""
+def run_command(name, cmd, source_dir):
+with log.section(name):
+if isinstance(cmd, str):
+cmd = cmd.split()
+runner = log.get_runner(name, None)
+runner.run(cmd, cwd=source_dir)
+runner.close()
+log.status_pass('OK')
+
+def gen_capsule_payloads(capsule_dir):
+fname = f'{capsule_dir}u-boot.bin.old'
+with open(fname, 'w') as fd:
+fd.write('u-boot:Old')
+
+fname = f'{capsule_dir}u-boot.bin.new'
+with open(fname, 'w') as fd:
+fd.write('u-boot:New')
+
+fname = f'{capsule_dir}u-boot.env.old'
+with open(fname, 'w') as fd:
+fd.write('u-boot-env:Old')
+
+fname = f'{capsule_dir}u-boot.env.new'
+with open(fname, 'w') as fd:
+fd.write('u-boot-env:New')
+
+capsule_sig_dir = '/tmp/capsules/'
+sig_name = 'SIGNER'
+mkdir_p(capsule_sig_dir)
+name = 'openssl'
+cmd = ( 'openssl req -x509 -sha256 -newkey rsa:2048 '
+'-subj /CN=TEST_SIGNER/ -keyout '
+f'{capsule_sig_dir}{sig_name}.key '
+f'-out {capsule_sig_dir}{sig_name}.crt -nodes -days 365' )
+run_command(name, cmd, source_dir)
+
+name = 'cert-to-efi-sig-list'
+cmd = ( f'cert-to-efi-sig-list {capsule_sig_dir}{sig_name}.crt '
+f'{capsule_sig_dir}{sig_name}.esl' )
+run_command(name, cmd, source_dir)
+
+sig_name = 'SIGNER2'
+name = 'openssl'
+cmd = ( 'openssl req -x509 -sha256 -newkey rsa:2048 '
+'-subj /CN=TEST_SIGNER/ -keyout '
+f'{capsule_sig_dir}{sig_name}.key '
+f'-out {capsule_sig_dir}{sig_name}.crt -nodes -days 365' )
+run_command(name, cmd, source_dir)
+
+gen_capsule_payloads(capsule_sig_dir)
+
def run_build(config, source_dir, build_dir, board_type, log):
"""run_build: Build U-Boot
@@ -90,6 +170,10 @@ def run_build(config, source_dir, build_dir, board_type,
log):
board_type (str): board_type parameter (e.g. 'sandbox')
log (Logfile): Log file to use
"""
+capsule_boards = ( 'sandbox', 'sandbox64', 'sandbox_flattree' )
+if board_type in capsule_boards:
+setup_capsule_build(source_dir, build_dir, board_type, log)
+
if config.getoption('buildman'):
if build_dir != source_dir:
dest_args = ['-o', build_dir, '-w']
--
2.34.1
[PATCH v5 11/12] sandbox: capsule: Add a config file for generating capsules
Support has been added to the mkeficapsule tool to generate capsules
by parsing the capsule parameters through a config file. Add a config
file for generating capsules. These capsules will be used for testing
the capsule update feature on sandbox platform.
Enable generation of capsules through the config file on the sandbox
variant.
Signed-off-by: Sughosh Ganu
---
Changes since V4:
* Use a relative path for CONFIG_EFI_CAPSULE_CFG_FILE.
* Remove logic to copy capsule config file to /tmp/capsules/
directory, as the capsule entry can handle relative paths.
* Add a comment in the capsule config file for the image GUIDs being
used.
* Use lower case for image GUIDs.
configs/sandbox_defconfig | 2 +
.../test_efi_capsule/sandbox_capsule_cfg.txt | 175 ++
2 files changed, 177 insertions(+)
create mode 100644 test/py/tests/test_efi_capsule/sandbox_capsule_cfg.txt
diff --git a/configs/sandbox_defconfig b/configs/sandbox_defconfig
index 53e342b3fa..49ca6f5f61 100644
--- a/configs/sandbox_defconfig
+++ b/configs/sandbox_defconfig
@@ -343,6 +343,8 @@ CONFIG_EFI_CAPSULE_ON_DISK=y
CONFIG_EFI_CAPSULE_FIRMWARE_RAW=y
CONFIG_EFI_CAPSULE_AUTHENTICATE=y
CONFIG_EFI_CAPSULE_ESL_FILE="/tmp/capsules/SIGNER.esl"
+CONFIG_EFI_CAPSULE_CFG_FILE="test/py/tests/test_efi_capsule/sandbox_capsule_cfg.txt"
+CONFIG_EFI_USE_CAPSULE_CFG_FILE=y
CONFIG_EFI_SECURE_BOOT=y
CONFIG_TEST_FDTDEC=y
CONFIG_UNIT_TEST=y
diff --git a/test/py/tests/test_efi_capsule/sandbox_capsule_cfg.txt
b/test/py/tests/test_efi_capsule/sandbox_capsule_cfg.txt
new file mode 100644
index 00..bfce3bbb5f
--- /dev/null
+++ b/test/py/tests/test_efi_capsule/sandbox_capsule_cfg.txt
@@ -0,0 +1,175 @@
+# This is a config file used for generating EFI capsules for the
+# sandbox platform. The image GUIDs used in this file are as
+# follows
+#
+# 09d7cf52-0720-4710-91d1-08469b7fe9c8 - u-boot image GUID
+#
+# 5a7021f5-fef2-48b4-aaba-832e777418c0 - u-boot env image GUID
+#
+# 3673b45d-6a7c-46f3-9e60-adabb03f7937 - FIT image GUID
+#
+# 058b7d83-50d5-4c47-a195-60d86ad341c4 - Incorrect GUID for the platform
+#
+
+{
+ image-index: 1
+ image-guid: 09d7cf52-0720-4710-91d1-08469b7fe9c8
+ payload: /tmp/capsules/u-boot.bin.new
+ capsule: /tmp/capsules/Test01
+}
+{
+ image-index: 2
+ image-guid: 5a7021f5-fef2-48b4-aaba-832e777418c0
+ payload: /tmp/capsules/u-boot.env.new
+ capsule: /tmp/capsules/Test02
+}
+{
+ image-index: 1
+ image-guid: 058b7d83-50d5-4c47-a195-60d86ad341c4
+ payload: /tmp/capsules/u-boot.bin.new
+ capsule: /tmp/capsules/Test03
+
+}
+{
+ image-index: 1
+ image-guid: 3673b45d-6a7c-46f3-9e60-adabb03f7937
+ payload: /tmp/capsules/uboot_bin_env.itb
+ capsule: /tmp/capsules/Test04
+
+}
+{
+ image-index: 1
+ image-guid: 058b7d83-50d5-4c47-a195-60d86ad341c4
+ payload: /tmp/capsules/uboot_bin_env.itb
+ capsule: /tmp/capsules/Test05
+
+}
+{
+ image-index: 1
+ image-guid: 058b7d83-50d5-4c47-a195-60d86ad341c4
+ payload: /tmp/capsules/uboot_bin_env.itb
+ capsule: /tmp/capsules/Test05
+}
+{
+ image-index: 1
+ monotonic-count: 1
+ private-key: /tmp/capsules/SIGNER.key
+ pub-key-cert: /tmp/capsules/SIGNER.crt
+ image-guid: 09d7cf52-0720-4710-91d1-08469b7fe9c8
+ payload: /tmp/capsules/u-boot.bin.new
+ capsule: /tmp/capsules/Test11
+}
+{
+ image-index: 1
+ monotonic-count: 1
+ private-key: /tmp/capsules/SIGNER2.key
+ pub-key-cert: /tmp/capsules/SIGNER2.crt
+ image-guid: 09d7cf52-0720-4710-91d1-08469b7fe9c8
+ payload: /tmp/capsules/u-boot.bin.new
+ capsule: /tmp/capsules/Test12
+}
+{
+ image-index: 1
+ monotonic-count: 1
+ private-key: /tmp/capsules/SIGNER.key
+ pub-key-cert: /tmp/capsules/SIGNER.crt
+ image-guid: 3673b45d-6a7c-46f3-9e60-adabb03f7937
+ payload: /tmp/capsules/uboot_bin_env.itb
+ capsule: /tmp/capsules/Test13
+}
+{
+ image-index: 1
+ monotonic-count: 1
+ private-key: /tmp/capsules/SIGNER2.key
+ pub-key-cert: /tmp/capsules/SIGNER2.crt
+ image-guid: 3673b45d-6a7c-46f3-9e60-adabb03f7937
+ payload: /tmp/capsules/uboot_bin_env.itb
+ capsule: /tmp/capsules/Test14
+}
+{
+ image-index: 1
+ fw-version: 5
+ image-guid: 09d7cf52-0720-4710-91d1-08469b7fe9c8
+ payload: /tmp/capsules/u-boot.bin.new
+ capsule: /tmp/capsules/Test101
+}
+{
+ image-index: 2
+ fw-version: 10
+ image-guid: 5a7021f5-fef2-48b4-aaba-832e777418c0
+ payload: /tmp/capsules/u-boot.env.new
+ capsule: /tmp/capsules/Test102
+}
+{
+ image-index: 1
+ fw-version: 2
+ image-guid: 09d7cf52-0720-4710-91d1-08469b7fe9c8
+ payload: /tmp/capsules/u-boot.bin.new
+ capsule: /tmp/capsules/Test103
+
+}
+{
+ image-index: 1
+ fw-version: 5
+ image
[PATCH v5 10/12] test: capsule: Remove public key embed logic from capsule update test
The embedding of the public key EFI Signature List(ESL) file into the
platform's DTB is now done at the time of u-boot build. Remove this
logic from the capsule update test' configuration.
Include the public key for the sandbox and sandbox_flattree variant
as part of the build.
Signed-off-by: Sughosh Ganu
---
Changes since V4: None
configs/sandbox_defconfig| 1 +
configs/sandbox_flattree_defconfig | 1 +
test/py/tests/test_efi_capsule/conftest.py | 37
test/py/tests/test_efi_capsule/signature.dts | 10 --
4 files changed, 9 insertions(+), 40 deletions(-)
delete mode 100644 test/py/tests/test_efi_capsule/signature.dts
diff --git a/configs/sandbox_defconfig b/configs/sandbox_defconfig
index 19cc6701e6..53e342b3fa 100644
--- a/configs/sandbox_defconfig
+++ b/configs/sandbox_defconfig
@@ -342,6 +342,7 @@ CONFIG_EFI_RUNTIME_UPDATE_CAPSULE=y
CONFIG_EFI_CAPSULE_ON_DISK=y
CONFIG_EFI_CAPSULE_FIRMWARE_RAW=y
CONFIG_EFI_CAPSULE_AUTHENTICATE=y
+CONFIG_EFI_CAPSULE_ESL_FILE="/tmp/capsules/SIGNER.esl"
CONFIG_EFI_SECURE_BOOT=y
CONFIG_TEST_FDTDEC=y
CONFIG_UNIT_TEST=y
diff --git a/configs/sandbox_flattree_defconfig
b/configs/sandbox_flattree_defconfig
index 8aa295686d..06b1408b90 100644
--- a/configs/sandbox_flattree_defconfig
+++ b/configs/sandbox_flattree_defconfig
@@ -227,6 +227,7 @@ CONFIG_EFI_RUNTIME_UPDATE_CAPSULE=y
CONFIG_EFI_CAPSULE_ON_DISK=y
CONFIG_EFI_CAPSULE_FIRMWARE_FIT=y
CONFIG_EFI_CAPSULE_AUTHENTICATE=y
+CONFIG_EFI_CAPSULE_ESL_FILE="/tmp/capsules/SIGNER.esl"
CONFIG_UNIT_TEST=y
CONFIG_UT_TIME=y
CONFIG_UT_DM=y
diff --git a/test/py/tests/test_efi_capsule/conftest.py
b/test/py/tests/test_efi_capsule/conftest.py
index 054be1ee97..99b502902e 100644
--- a/test/py/tests/test_efi_capsule/conftest.py
+++ b/test/py/tests/test_efi_capsule/conftest.py
@@ -25,48 +25,25 @@ def efi_capsule_data(request, u_boot_config):
image_path = u_boot_config.persistent_data_dir + '/test_efi_capsule.img'
try:
+capsules_path_dir = '/tmp/capsules/'
# Create a target device
check_call('dd if=/dev/zero of=./spi.bin bs=1MiB count=16', shell=True)
check_call('rm -rf %s' % mnt_point, shell=True)
check_call('mkdir -p %s' % data_dir, shell=True)
check_call('mkdir -p %s' % install_dir, shell=True)
-
-capsule_auth_enabled = u_boot_config.buildconfig.get(
-'config_efi_capsule_authenticate')
-if capsule_auth_enabled:
-# Create private key (SIGNER.key) and certificate (SIGNER.crt)
-check_call('cd %s; '
- 'openssl req -x509 -sha256 -newkey rsa:2048 '
-'-subj /CN=TEST_SIGNER/ -keyout SIGNER.key '
-'-out SIGNER.crt -nodes -days 365'
- % data_dir, shell=True)
-check_call('cd %s; %scert-to-efi-sig-list SIGNER.crt SIGNER.esl'
- % (data_dir, EFITOOLS_PATH), shell=True)
-
-# Update dtb adding capsule certificate
-check_call('cd %s; '
- 'cp %s/test/py/tests/test_efi_capsule/signature.dts .'
- % (data_dir, u_boot_config.source_dir), shell=True)
-check_call('cd %s; '
- 'dtc -@ -I dts -O dtb -o signature.dtbo signature.dts; '
- 'fdtoverlay -i %s/arch/sandbox/dts/test.dtb '
-'-o test_sig.dtb signature.dtbo'
- % (data_dir, u_boot_config.build_dir), shell=True)
-
-# Create *malicious* private key (SIGNER2.key) and certificate
-# (SIGNER2.crt)
-check_call('cd %s; '
- 'openssl req -x509 -sha256 -newkey rsa:2048 '
-'-subj /CN=TEST_SIGNER/ -keyout SIGNER2.key '
-'-out SIGNER2.crt -nodes -days 365'
- % data_dir, shell=True)
+check_call('cp %s/* %s ' % (capsules_path_dir, data_dir), shell=True)
# Update dtb to add the version information
check_call('cd %s; '
'cp %s/test/py/tests/test_efi_capsule/version.dts .'
% (data_dir, u_boot_config.source_dir), shell=True)
+
+capsule_auth_enabled = u_boot_config.buildconfig.get(
+'config_efi_capsule_authenticate')
if capsule_auth_enabled:
+check_call('cp %s/arch/sandbox/dts/test.dtb %s/test_sig.dtb' %
+ (u_boot_config.build_dir, data_dir), shell=True)
check_call('cd %s; '
'dtc -@ -I dts -O dtb -o version.dtbo vers
[PATCH v5 07/12] binman: capsule: Add support for generating capsules
Add support in binman for generating capsules. The capsule parameters
can be specified either through a config file or through the capsule
binman entry. Also add test cases in binman for capsule generation,
and enable this testing on the sandbox_spl variant.
Signed-off-by: Sughosh Ganu
---
Changes since V4:
* Rebase on top of current HEAD.
* Remove blank lines after function comments.
* Fix a couple of typos.
* Use single quotes for strings.
* Put the GUIDs in variables with relevant names.
* Declare certain values in local variables instead of member values.
* Add comments for explaning the payload offsets in the capsule file.
* Drop the test case for generating the capsule from the config
file.
* Define payload data for the capsule tests.
* Add logic to find input and output files in capsule generation in
the indir and outdir directories when absolute path is not passed.
configs/sandbox_spl_defconfig | 1 +
tools/binman/btool/mkeficapsule.py| 153 ++
tools/binman/entries.rst | 42 +
tools/binman/etype/capsule.py | 132 +++
tools/binman/ftest.py | 115 +
tools/binman/test/307_capsule.dts | 19 +++
tools/binman/test/308_capsule_signed.dts | 21 +++
tools/binman/test/309_capsule_version.dts | 20 +++
tools/binman/test/310_capsule_missing_key.dts | 20 +++
.../binman/test/311_capsule_missing_index.dts | 18 +++
.../binman/test/312_capsule_missing_guid.dts | 17 ++
.../test/313_capsule_missing_payload.dts | 18 +++
tools/binman/test/314_capsule_missing.dts | 18 +++
tools/binman/test/files/capsule_cfg.txt | 6 +
14 files changed, 600 insertions(+)
create mode 100644 tools/binman/btool/mkeficapsule.py
create mode 100644 tools/binman/etype/capsule.py
create mode 100644 tools/binman/test/307_capsule.dts
create mode 100644 tools/binman/test/308_capsule_signed.dts
create mode 100644 tools/binman/test/309_capsule_version.dts
create mode 100644 tools/binman/test/310_capsule_missing_key.dts
create mode 100644 tools/binman/test/311_capsule_missing_index.dts
create mode 100644 tools/binman/test/312_capsule_missing_guid.dts
create mode 100644 tools/binman/test/313_capsule_missing_payload.dts
create mode 100644 tools/binman/test/314_capsule_missing.dts
create mode 100644 tools/binman/test/files/capsule_cfg.txt
diff --git a/configs/sandbox_spl_defconfig b/configs/sandbox_spl_defconfig
index 8d50162b27..65223475ab 100644
--- a/configs/sandbox_spl_defconfig
+++ b/configs/sandbox_spl_defconfig
@@ -249,3 +249,4 @@ CONFIG_UNIT_TEST=y
CONFIG_SPL_UNIT_TEST=y
CONFIG_UT_TIME=y
CONFIG_UT_DM=y
+CONFIG_TOOLS_MKEFICAPSULE=y
diff --git a/tools/binman/btool/mkeficapsule.py
b/tools/binman/btool/mkeficapsule.py
new file mode 100644
index 00..bfd6552b9a
--- /dev/null
+++ b/tools/binman/btool/mkeficapsule.py
@@ -0,0 +1,153 @@
+# SPDX-License-Identifier: GPL-2.0+
+# Copyright 2023 Linaro Limited
+#
+"""Bintool implementation for mkeficapsule tool
+
+mkeficapsule is a tool used for generating EFI capsules.
+
+The following are the command-line options to be provided
+to the tool
+Usage: mkeficapsule [options]
+Options:
+ -g, --guid guid for image blob type
+ -i, --index update image index
+ -I, --instanceupdate hardware instance
+ -v, --fw-version firmware version
+ -p, --private-key private key file
+ -c, --certificate signer's certificate file
+ -m, --monotonic-count monotonic count
+ -d, --dump_sig dump signature (*.p7)
+ -A, --fw-accept firmware accept capsule, requires GUID, no image blob
+ -R, --fw-revert firmware revert capsule, takes no GUID, no image blob
+ -o, --capoemflag Capsule OEM Flag, an integer between 0x and 0x
+ -f, --cfg-file config file with capsule parameters
+ -h, --help print a help message
+"""
+
+from binman import bintool
+
+class Bintoolmkeficapsule(bintool.Bintool):
+"""Handles the 'mkeficapsule' tool
+
+This bintool is used for generating the EFI capsules. The
+capsule generation parameters can either be specified through
+command-line, or through a config file.
+"""
+def __init__(self, name):
+super().__init__(name, 'mkeficapsule tool for generating capsules')
+
+def capsule_cfg_file(self, cfg_file):
+"""Generate a capsule reading parameters from config file
+
+Args:
+cfg_file (str): Path to the config file
+
+Returns:
+str: Tool output
+"""
+args = [
+f'--cfg-file={cfg_file}'
+]
+return self.run_cmd(*args)
+
+def cmdline_capsule(self, image_index, image_guid, hardware_instance,
+
[PATCH v5 12/12] sandbox: capsule: Generate capsule related files through binman
The EFI capsule files can now be generated as part of u-boot
build. This is done through binman. Add capsule entry nodes in the
u-boot.dtsi for the sandbox architecture for generating the
capsules. Remove the corresponding generation of capsules from the
capsule update conftest file.
The capsules are generated through the config file for the sandbox
variant, and through explicit parameters for the sandbox_flattree
variant.
Also generate the FIT image used for testing the capsule update
feature on the sandbox_flattree variant through binman. Remove the now
superfluous its file which was used for generating this FIT image.
Signed-off-by: Sughosh Ganu
---
Changes since V4:
* Define macros for the image GUIDs being used for generating the
capsules.
* Use lower case for image GUIDs.
arch/sandbox/dts/u-boot.dtsi | 271 ++
test/py/tests/test_efi_capsule/conftest.py| 127
.../tests/test_efi_capsule/uboot_bin_env.its | 36 ---
3 files changed, 271 insertions(+), 163 deletions(-)
delete mode 100644 test/py/tests/test_efi_capsule/uboot_bin_env.its
diff --git a/arch/sandbox/dts/u-boot.dtsi b/arch/sandbox/dts/u-boot.dtsi
index 60bd004937..7606db3764 100644
--- a/arch/sandbox/dts/u-boot.dtsi
+++ b/arch/sandbox/dts/u-boot.dtsi
@@ -7,11 +7,282 @@
*/
#ifdef CONFIG_EFI_HAVE_CAPSULE_SUPPORT
+
+#define SANDBOX_UBOOT_IMAGE_GUID "09d7cf52-0720-4710-91d1-08469b7fe9c8"
+#define SANDBOX_UBOOT_ENV_IMAGE_GUID "5a7021f5-fef2-48b4-aaba-832e777418c0"
+#define SANDBOX_FIT_IMAGE_GUID "3673b45d-6a7c-46f3-9e60-adabb03f7937"
+#define SANDBOX_INCORRECT_GUID "058b7d83-50d5-4c47-a195-60d86ad341c4"
+
/ {
#ifdef CONFIG_EFI_CAPSULE_AUTHENTICATE
signature {
capsule-key = /incbin/(CONFIG_EFI_CAPSULE_ESL_FILE);
};
#endif
+
+ binman: binman {
+ multiple-images;
+ };
+};
+
+&binman {
+ itb {
+ filename = "/tmp/capsules/uboot_bin_env.itb";
+
+ fit {
+ description = "Automatic U-Boot environment update";
+ #address-cells = <2>;
+
+ images {
+ u-boot-bin {
+ description = "U-Boot binary on SPI
Flash";
+ compression = "none";
+ type = "firmware";
+ arch = "sandbox";
+ load = <0>;
+ blob {
+ filename =
"/tmp/capsules/u-boot.bin.new";
+ };
+
+ hash-1 {
+ algo = "sha1";
+ };
+ };
+ u-boot-env {
+ description = "U-Boot environment on
SPI Flash";
+ compression = "none";
+ type = "firmware";
+ arch = "sandbox";
+ load = <0>;
+ blob {
+ filename =
"/tmp/capsules/u-boot.env.new";
+ };
+
+ hash-1 {
+ algo = "sha1";
+ };
+ };
+ };
+ };
+ };
+
+#ifdef CONFIG_EFI_USE_CAPSULE_CFG_FILE
+ capsule1 {
+ capsule {
+ cfg-file = CONFIG_EFI_CAPSULE_CFG_FILE;
+ };
+ };
+#else
+ capsule2 {
+ capsule {
+ image-index = <0x1>;
+ image-type-id = SANDBOX_UBOOT_IMAGE_GUID;
+ filename = "/tmp/capsules/u-boot.bin.new";
+ capsule = "/tmp/capsules/Test01";
+ };
+ };
+
+ capsule3 {
+ capsule {
+ image-index = <0x2>;
+ image-type-id = SANDBOX_UBOOT_ENV_IMAGE_GUID;
+ filename = "/tmp/capsules/u-boot.env.new";
+ capsule = "/tmp/capsules/Test02";
+ };
+ };
+
+ capsule4 {
+ capsule {
+ image-index = <0x1>;
+ image-type-id = SANDBOX_INCORRECT_GUID;
+ filename = "/tmp/cap
Re: [tom.r...@gmail.com: Fwd: New Defects reported by Coverity Scan for Das U-Boot]
hi Tom,
On Tue, 24 Oct 2023 at 06:48, Tom Rini wrote:
>
> Here's the latest report
>
> -- Forwarded message -
> From:
> Date: Mon, Oct 23, 2023 at 4:40 PM
> Subject: New Defects reported by Coverity Scan for Das U-Boot
> To:
>
>
> Hi,
>
> Please find the latest report on new defect(s) introduced to Das
> U-Boot found with Coverity Scan.
>
> 16 new defect(s) introduced to Das U-Boot found with Coverity Scan.
> 6 defect(s), reported by Coverity Scan earlier, were marked fixed in
> the recent build analyzed by Coverity Scan.
>
> New defect(s) Reported-by: Coverity Scan
> Showing 16 of 16 defect(s)
>
>
> ** CID 467053:(RESOURCE_LEAK)
> /tools/mkeficapsule.c: 859 in dump_capsule_contents()
> /tools/mkeficapsule.c: 859 in dump_capsule_contents()
>
>
>
> *** CID 467053:(RESOURCE_LEAK)
> /tools/mkeficapsule.c: 859 in dump_capsule_contents()
> 853 empty_capsule_dump(ptr);
> 854 } else {
> 855 fprintf(stderr, "Unable to decode the capsule
> file: %s\n",
> 856 capsule_file);
> 857 exit(EXIT_FAILURE);
> 858 }
> >>> CID 467053:(RESOURCE_LEAK)
> >>> Variable "ptr" going out of scope leaks the storage it points to.
> 859 }
> 860
> 861 /**
> 862 * main - main entry function of mkeficapsule
> 863 * @argc: Number of arguments
> 864 * @argv: Array of pointers to arguments
> /tools/mkeficapsule.c: 859 in dump_capsule_contents()
> 853 empty_capsule_dump(ptr);
> 854 } else {
> 855 fprintf(stderr, "Unable to decode the capsule
> file: %s\n",
> 856 capsule_file);
> 857 exit(EXIT_FAILURE);
> 858 }
> >>> CID 467053:(RESOURCE_LEAK)
> >>> Variable "ptr" going out of scope leaks the storage it points to.
> 859 }
> 860
> 861 /**
> 862 * main - main entry function of mkeficapsule
> 863 * @argc: Number of arguments
> 864 * @argv: Array of pointers to arguments
>
> ** CID 467045: Resource leaks (RESOURCE_LEAK)
> /tools/mkeficapsule.c: 859 in dump_capsule_contents()
>
>
>
> *** CID 467045: Resource leaks (RESOURCE_LEAK)
> /tools/mkeficapsule.c: 859 in dump_capsule_contents()
> 853 empty_capsule_dump(ptr);
> 854 } else {
> 855 fprintf(stderr, "Unable to decode the capsule
> file: %s\n",
> 856 capsule_file);
> 857 exit(EXIT_FAILURE);
> 858 }
> >>> CID 467045: Resource leaks (RESOURCE_LEAK)
> >>> Handle variable "fd" going out of scope leaks the handle.
> 859 }
> 860
> 861 /**
> 862 * main - main entry function of mkeficapsule
> 863 * @argc: Number of arguments
> 864 * @argv: Array of pointers to arguments
>
>
Both the pointer and file descriptor are not being freed since the
process exits once the dump_capaule_contents() function returns. These
can be marked as false positives. Thanks.
-sughosh
[PATCH v3 0/6] capsule: Embed the public key ESL as part of build
This series takes a different approach to embedding the public key EFI Signature List(ESL) needed for capsule authentication into the platform's DTB. The earlier approach [1] was using a u-boot.dtsi file to embed the key. But this approach has a few issues. 1) The path of the incbin file is not relative to $(srctree), but relative to the directory of the dts file which is including the dtsi -- this causes problems when the dts file are located in different directories. 2) The u-boot.dtsi file only gets included in the DTB if there are no other *u-boot.dtsi files being included. 3) A separate u-boot.dtsi is needed per arch. To get around these issues, this approach generates a dtsi file(.capsule_esl.dtsi) with the public key node during build. This generated dtsi file contains the resolved path to the ESL and is then included for the DTB generation. The first patch of the series also cleans up the logic to include the dtsi files, by collating all the dtsi files to be included into a single variable. These patches need to be applied on top of the series for generating the capsules as part of the build [2]. [1] - https://lists.denx.de/pipermail/u-boot/2023-August/526323.html [2] - https://lore.kernel.org/u-boot/20230812153024.334563-1-sughosh.g...@linaro.org/T/#m85a50079007acf8943cfe8efcc7d78d23a40db7c Changes since V2: * Rephrase the statements in a couple of places as suggested by Ilias. Sughosh Ganu (6): scripts/Makefile.lib: Collate all dtsi files for inclusion scripts/Makefile.lib: Add dtsi include files as deps for building DTB scripts/Makefile.lib: Embed capsule public key in platform's dtb sandbox: capsule: Add path to the public key ESL file test: capsule: Remove logic to add public key ESL doc: capsule: Document the new mechanism to embed ESL file into dtb configs/sandbox_defconfig| 1 + configs/sandbox_flattree_defconfig | 1 + doc/develop/uefi/uefi.rst| 19 - lib/efi_loader/Kconfig | 8 ++ lib/efi_loader/capsule_esl.dtsi.in | 11 +++ scripts/Makefile.lib | 30 test/py/tests/test_efi_capsule/conftest.py | 28 +- test/py/tests/test_efi_capsule/signature.dts | 10 --- 8 files changed, 58 insertions(+), 50 deletions(-) create mode 100644 lib/efi_loader/capsule_esl.dtsi.in delete mode 100644 test/py/tests/test_efi_capsule/signature.dts -- 2.34.1
[PATCH v3 1/6] scripts/Makefile.lib: Collate all dtsi files for inclusion
At the time of building a device-tree file, all the *u-boot.dtsi files
are looked for, in a particular order, and the first file found is
included. Then, the list of files specified in the
CONFIG_DEVICE_TREE_INCLUDES symbol are included.
Combine these files that are to be included into a variable, and then
include all these files in one go.
Signed-off-by: Sughosh Ganu
Reviewed-by: Tom Rini
Acked-by: Ilias Apalodimas
---
Changes since V2: None
scripts/Makefile.lib | 11 +++
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/scripts/Makefile.lib b/scripts/Makefile.lib
index f5ab7af0f4..368b5a3e28 100644
--- a/scripts/Makefile.lib
+++ b/scripts/Makefile.lib
@@ -179,10 +179,13 @@ ifdef DEVICE_TREE_DEBUG
u_boot_dtsi_options_debug = $(warning $(u_boot_dtsi_options_raw))
endif
-# We use the first match
-u_boot_dtsi = $(strip $(u_boot_dtsi_options_debug) \
+# We use the first match to be included
+dtsi_include_list = $(strip $(u_boot_dtsi_options_debug) \
$(notdir $(firstword $(u_boot_dtsi_options
+# The CONFIG_DEVICE_TREE_INCLUDES also need to be included
+dtsi_include_list += $(CONFIG_DEVICE_TREE_INCLUDES)
+
# Modified for U-Boot
dtc_cpp_flags = -Wp,-MD,$(depfile).pre.tmp -nostdinc\
$(UBOOTINCLUDE) \
@@ -320,8 +323,8 @@ quiet_cmd_dtc = DTC $@
# Bring in any U-Boot-specific include at the end of the file
# And finally any custom .dtsi fragments specified with
CONFIG_DEVICE_TREE_INCLUDES
cmd_dtc = mkdir -p $(dir ${dtc-tmp}) ; \
- (cat $<; $(if $(u_boot_dtsi),echo '$(pound)include "$(u_boot_dtsi)"'))
> $(pre-tmp); \
- $(foreach f,$(subst $(quote),,$(CONFIG_DEVICE_TREE_INCLUDES)), \
+ (cat $< > $(pre-tmp)); \
+ $(foreach f,$(subst $(quote),,$(dtsi_include_list)), \
echo '$(pound)include "$(f)"' >> $(pre-tmp);) \
$(HOSTCC) -E $(dtc_cpp_flags) -x assembler-with-cpp -o $(dtc-tmp)
$(pre-tmp) ; \
$(DTC) -O dtb -o $@ -b 0 \
--
2.34.1
[PATCH v3 2/6] scripts/Makefile.lib: Add dtsi include files as deps for building DTB
At the time of building the DTB, some dtsi files can be selected for
inclusion. Have these dtsi files as dependencies for the DTB
target. This also ensures generation or updating the dtsi files if
need be.
Signed-off-by: Sughosh Ganu
Acked-by: Ilias Apalodimas
Reviewed-by: Tom Rini
---
Changes since V2: None
scripts/Makefile.lib | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/scripts/Makefile.lib b/scripts/Makefile.lib
index 368b5a3e28..8c5e25c31c 100644
--- a/scripts/Makefile.lib
+++ b/scripts/Makefile.lib
@@ -334,7 +334,9 @@ cmd_dtc = mkdir -p $(dir ${dtc-tmp}) ; \
; \
sed "s:$(pre-tmp):$(<):" $(depfile).pre.tmp $(depfile).dtc.tmp >
$(depfile)
-$(obj)/%.dtb: $(src)/%.dts $(DTC) FORCE
+dtsi_include_list_deps = $(addprefix $(obj)/,$(subst
$(quote),,$(dtsi_include_list)))
+
+$(obj)/%.dtb: $(src)/%.dts $(DTC) $(dtsi_include_list_deps) FORCE
$(call if_changed_dep,dtc)
pre-tmp = $(subst $(comma),_,$(dot-target).pre.tmp)
--
2.34.1
[PATCH v3 3/6] scripts/Makefile.lib: Embed capsule public key in platform's dtb
The EFI capsule authentication logic in u-boot expects the public key
in the form of an EFI Signature List(ESL) to be provided as part of
the platform's dtb. Currently, the embedding of the ESL file into the
dtb needs to be done manually.
Add a target for generating a dtsi file which contains the signature
node with the ESL file included as a property under the signature
node. Include the dtsi file in the dtb. This brings the embedding of
the ESL in the dtb into the U-Boot build flow.
The path to the ESL file is specified through the
CONFIG_EFI_CAPSULE_ESL_FILE symbol.
Signed-off-by: Sughosh Ganu
Reviewed-by: Tom Rini
---
Changes since V2: None
lib/efi_loader/Kconfig | 8
lib/efi_loader/capsule_esl.dtsi.in | 11 +++
scripts/Makefile.lib | 15 +++
3 files changed, 34 insertions(+)
create mode 100644 lib/efi_loader/capsule_esl.dtsi.in
diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig
index 9989e3f384..d20aaab6db 100644
--- a/lib/efi_loader/Kconfig
+++ b/lib/efi_loader/Kconfig
@@ -272,6 +272,14 @@ config EFI_CAPSULE_MAX
Select the max capsule index value used for capsule report
variables. This value is used to create CapsuleMax variable.
+config EFI_CAPSULE_ESL_FILE
+ string "Path to the EFI Signature List File"
+ depends on EFI_CAPSULE_AUTHENTICATE
+ help
+ Provides the path to the EFI Signature List file which will
+ be embedded in the platform's device tree and used for
+ capsule authentication at the time of capsule update.
+
config EFI_DEVICE_PATH_TO_TEXT
bool "Device path to text protocol"
default y
diff --git a/lib/efi_loader/capsule_esl.dtsi.in
b/lib/efi_loader/capsule_esl.dtsi.in
new file mode 100644
index 00..61a9f2b25e
--- /dev/null
+++ b/lib/efi_loader/capsule_esl.dtsi.in
@@ -0,0 +1,11 @@
+// SPDX-License-Identifier: GPL-2.0+
+/**
+ * Devicetree file with the public key EFI Signature List(ESL)
+ * node. This file is used to generate the dtsi file to be
+ * included into the DTB.
+*/
+/ {
+ signature {
+ capsule-key = /incbin/("ESL_BIN_FILE");
+ };
+};
diff --git a/scripts/Makefile.lib b/scripts/Makefile.lib
index 8c5e25c31c..3cec46bb15 100644
--- a/scripts/Makefile.lib
+++ b/scripts/Makefile.lib
@@ -334,6 +334,21 @@ cmd_dtc = mkdir -p $(dir ${dtc-tmp}) ; \
; \
sed "s:$(pre-tmp):$(<):" $(depfile).pre.tmp $(depfile).dtc.tmp >
$(depfile)
+quiet_cmd_capsule_esl_gen = CAPSULE_ESL_GEN $@
+cmd_capsule_esl_gen = \
+ $(shell sed "s:ESL_BIN_FILE:$(capsule_esl_path):"
$(capsule_esl_input_file) > $@)
+
+$(obj)/.capsule_esl.dtsi:
+ $(call cmd_capsule_esl_gen)
+
+capsule_esl_input_file=$(srctree)/lib/efi_loader/capsule_esl.dtsi.in
+capsule_esl_dtsi = .capsule_esl.dtsi
+capsule_esl_path=$(abspath $(srctree)/$(subst
$(quote),,$(CONFIG_EFI_CAPSULE_ESL_FILE)))
+
+ifdef CONFIG_EFI_CAPSULE_AUTHENTICATE
+dtsi_include_list += $(capsule_esl_dtsi)
+endif
+
dtsi_include_list_deps = $(addprefix $(obj)/,$(subst
$(quote),,$(dtsi_include_list)))
$(obj)/%.dtb: $(src)/%.dts $(DTC) $(dtsi_include_list_deps) FORCE
--
2.34.1
[PATCH v3 4/6] sandbox: capsule: Add path to the public key ESL file
Add the path to the public key EFI Signature List(ESL) file for the sandbox variants which enable capsule authentication. This ESL file gets embedded into the platform's device-tree as part of the build. Signed-off-by: Sughosh Ganu --- Changes since V2: None configs/sandbox_defconfig | 1 + configs/sandbox_flattree_defconfig | 1 + 2 files changed, 2 insertions(+) diff --git a/configs/sandbox_defconfig b/configs/sandbox_defconfig index 1cd1c2ed7c..9f349d482b 100644 --- a/configs/sandbox_defconfig +++ b/configs/sandbox_defconfig @@ -340,6 +340,7 @@ CONFIG_EFI_RUNTIME_UPDATE_CAPSULE=y CONFIG_EFI_CAPSULE_ON_DISK=y CONFIG_EFI_CAPSULE_FIRMWARE_RAW=y CONFIG_EFI_CAPSULE_AUTHENTICATE=y +CONFIG_EFI_CAPSULE_ESL_FILE="board/sandbox/capsule_pub_esl_good.esl" CONFIG_EFI_SECURE_BOOT=y CONFIG_TEST_FDTDEC=y CONFIG_UNIT_TEST=y diff --git a/configs/sandbox_flattree_defconfig b/configs/sandbox_flattree_defconfig index 8aa295686d..2a24b38cfb 100644 --- a/configs/sandbox_flattree_defconfig +++ b/configs/sandbox_flattree_defconfig @@ -227,6 +227,7 @@ CONFIG_EFI_RUNTIME_UPDATE_CAPSULE=y CONFIG_EFI_CAPSULE_ON_DISK=y CONFIG_EFI_CAPSULE_FIRMWARE_FIT=y CONFIG_EFI_CAPSULE_AUTHENTICATE=y +CONFIG_EFI_CAPSULE_ESL_FILE="board/sandbox/capsule_pub_esl_good.esl" CONFIG_UNIT_TEST=y CONFIG_UT_TIME=y CONFIG_UT_DM=y -- 2.34.1
[PATCH v3 5/6] test: capsule: Remove logic to add public key ESL
The public key EFI Signature List(ESL) needed for capsule
authentication is now embedded into the platform's DTB as part of the
build. Remove the superfluous logic from the test setup.
Signed-off-by: Sughosh Ganu
---
Changes since V2: None
test/py/tests/test_efi_capsule/conftest.py | 28 +---
test/py/tests/test_efi_capsule/signature.dts | 10 ---
2 files changed, 7 insertions(+), 31 deletions(-)
delete mode 100644 test/py/tests/test_efi_capsule/signature.dts
diff --git a/test/py/tests/test_efi_capsule/conftest.py
b/test/py/tests/test_efi_capsule/conftest.py
index 7eead9bc64..67761a9708 100644
--- a/test/py/tests/test_efi_capsule/conftest.py
+++ b/test/py/tests/test_efi_capsule/conftest.py
@@ -49,33 +49,19 @@ def efi_capsule_data(request, u_boot_config):
check_call('cp %s/capsule_pub_key_bad.crt %s/SIGNER2.crt'
% (key_dir, data_dir), shell=True)
-# Update dtb adding capsule certificate
-check_call('cd %s; '
- 'cp %s/test/py/tests/test_efi_capsule/signature.dts .'
- % (data_dir, u_boot_config.source_dir), shell=True)
+if capsule_auth_enabled:
check_call('cd %s; '
- 'dtc -@ -I dts -O dtb -o signature.dtbo signature.dts; '
- 'fdtoverlay -i %s/arch/sandbox/dts/test.dtb '
-'-o test_sig.dtb signature.dtbo'
+ 'cp %s/arch/sandbox/dts/test.dtb test_sig.dtb'
% (data_dir, u_boot_config.build_dir), shell=True)
-
# Update dtb to add the version information
check_call('cd %s; '
'cp %s/test/py/tests/test_efi_capsule/version.dts .'
% (data_dir, u_boot_config.source_dir), shell=True)
-if capsule_auth_enabled:
-check_call('cd %s; '
- 'dtc -@ -I dts -O dtb -o version.dtbo version.dts; '
- 'fdtoverlay -i test_sig.dtb '
-'-o test_ver.dtb version.dtbo'
- % (data_dir), shell=True)
-else:
-check_call('cd %s; '
- 'dtc -@ -I dts -O dtb -o version.dtbo version.dts; '
- 'fdtoverlay -i %s/arch/sandbox/dts/test.dtb '
-'-o test_ver.dtb version.dtbo'
- % (data_dir, u_boot_config.build_dir), shell=True)
-
+check_call('cd %s; '
+ 'dtc -@ -I dts -O dtb -o version.dtbo version.dts; '
+ 'fdtoverlay -i %s/arch/sandbox/dts/test.dtb '
+ '-o test_ver.dtb version.dtbo'
+ % (data_dir, u_boot_config.build_dir), shell=True)
check_call('cp %s/u-boot_bin_env.itb %s ' % (u_boot_config.build_dir,
data_dir), shell=True)
check_call('cp %s/Test* %s ' % (u_boot_config.build_dir, data_dir),
shell=True)
diff --git a/test/py/tests/test_efi_capsule/signature.dts
b/test/py/tests/test_efi_capsule/signature.dts
deleted file mode 100644
index 078cfc76c9..00
--- a/test/py/tests/test_efi_capsule/signature.dts
+++ /dev/null
@@ -1,10 +0,0 @@
-// SPDX-License-Identifier: GPL-2.0+
-
-/dts-v1/;
-/plugin/;
-
-&{/} {
- signature {
- capsule-key = /incbin/("SIGNER.esl");
- };
-};
--
2.34.1
[PATCH v3 6/6] doc: capsule: Document the new mechanism to embed ESL file into dtb
Update the document to specify how the EFI Signature List(ESL) file
can be embedded into the platform's dtb as part of the U-Boot build.
Signed-off-by: Sughosh Ganu
---
Changes since V2:
* Rephrase the statements in a couple of places as suggested by Ilias.
doc/develop/uefi/uefi.rst | 19 +--
1 file changed, 5 insertions(+), 14 deletions(-)
diff --git a/doc/develop/uefi/uefi.rst b/doc/develop/uefi/uefi.rst
index 3ce579d46e..f422915ef5 100644
--- a/doc/develop/uefi/uefi.rst
+++ b/doc/develop/uefi/uefi.rst
@@ -539,20 +539,11 @@ and used by the steps highlighted below.
...
}
-You can do step-4 manually with
-
-.. code-block:: console
-
-$ dtc -@ -I dts -O dtb -o signature.dtbo signature.dts
-$ fdtoverlay -i orig.dtb -o new.dtb -v signature.dtbo
-
-where signature.dts looks like::
-
-&{/} {
-signature {
-capsule-key = /incbin/("CRT.esl");
-};
-};
+You can perform step-4 through the Kconfig symbol
+CONFIG_EFI_CAPSULE_ESL_FILE. This symbol points to the esl file
+generated in step-2. Once the symbol has been populated with the path
+to the esl file, it will automatically get embedded into the
+platform's dtb as part of U-Boot build.
Anti-rollback Protection
--
2.34.1
[PATCH v11 00/15] Integrate EFI capsule tasks into U-Boot's build flow
This patchset aims to bring two capsule related tasks under the U-Boot build flow. The first task is related to generation of capsules. The capsules can be generated as part of U-Boot build, and this is being achieved through binman, by adding a capsule entry type. The capsules can be generated by specifying the capsule parameters as properties under the capsule entry node. The other task is the embedding of the public key into the platform's DTB. The public key is in the form of an EFI Signature List(ESL) file and is used for capsule authentication. This is being achieved by adding the signature node containing the capsule public key in the platform's DTB. Corresponding changes have also been made to the test setup of the EFI capsule update feature. The ESL public key file was embedded into the sandbox platform's test.dtb as part of the test setup, post U-Boot build. This is now no longer needed as the embedding of the ESL happens as part of the build. Secondly, the capsules needed for testing the EFI capsule update feature were being generated through the invocation of the mkeficapsule tool. This setup has also been changed to introduce generation of these capsules through binman. The document has been updated to reflect the above changes. Changes since V10: This series clubs two changes together. 1) Capsule generation through binman, 2) Embedding the capsule public key ESL into the platform's DTB [1]. This has been done based on feedback from Tom Rini on IRC. The capsule generation was being done for all sandbox variant builds till the V10 version. This is now changed so that the capsules are only generated as part of the EFI capsule update feature testing. This has been done based on feedback from Tom Rini [2]. These changes are part of patch 7. * Remove the sandbox_capsule.dtsi file. * Remove addition of multiple-images property from sandbox.dts and test.dts as the capsule generation is moved to the test. * Add the capsule_gen_binman.dts with binman nodes for capsule generation. * Call the binman tool as part of the capsule test setup for generation of capsules. * Add an example binman capsule node which shows how a capsule can be generated through binman. [1] - https://lists.denx.de/pipermail/u-boot/2023-August/527810.html [2] - https://lists.denx.de/pipermail/u-boot/2023-August/526987.html Sughosh Ganu (15): binman: bintool: Build a tool from a list of commands nuvoton: npcm845-evb: Add a newline at the end of file sandbox: capsule: Add keys and certificates needed for capsule update testing sandbox: capsule: Enable EFI capsule module on sandbox variants btool: mkeficapsule: Add a bintool for EFI capsule generation binman: capsule: Add support for generating EFI capsules test: capsule: Generate EFI capsules through binman doc: Add documentation to highlight capsule generation related updates sandbox: trace: Increase trace buffer size scripts/Makefile.lib: Collate all dtsi files for inclusion scripts/Makefile.lib: Add dtsi include files as deps for building DTB scripts/Makefile.lib: Embed capsule public key in platform's dtb sandbox: capsule: Add path to the public key ESL file test: capsule: Remove logic to add public key ESL doc: capsule: Document the new mechanism to embed ESL file into dtb .azure-pipelines.yml | 2 +- .gitlab-ci.yml| 2 +- arch/arm/dts/nuvoton-npcm845-evb.dts | 2 +- board/sandbox/capsule_priv_key_bad.key| 28 ++ board/sandbox/capsule_priv_key_good.key | 28 ++ board/sandbox/capsule_pub_esl_good.esl| Bin 0 -> 831 bytes board/sandbox/capsule_pub_key_bad.crt | 19 ++ board/sandbox/capsule_pub_key_good.crt| 19 ++ configs/sandbox_defconfig | 1 + configs/sandbox_flattree_defconfig| 1 + configs/sandbox_noinst_defconfig | 2 + configs/sandbox_spl_defconfig | 2 + configs/sandbox_vpl_defconfig | 2 + doc/develop/uefi/uefi.rst | 59 +++- include/sandbox_efi_capsule.h | 21 ++ lib/efi_loader/Kconfig| 8 + lib/efi_loader/capsule_esl.dtsi.in| 11 + scripts/Makefile.lib | 30 +- .../test_efi_capsule/capsule_gen_binman.dts | 321 ++ test/py/tests/test_efi_capsule/conftest.py| 175 ++ test/py/tests/test_efi_capsule/signature.dts | 10 - .../tests/test_efi_capsule/uboot_bin_env.its | 36 -- test/py/tests/test_trace.py | 2 +- tools/binman/bintool.py | 19 +- tools/binman/btool/mkeficapsule.py| 101 ++ tools/binman/entries.rst | 64 tools/binman/etype/efi_capsule.py | 143 tools/binman/ftest.py | 118 +++ tools/binman/test/311_capsule.dts
[PATCH v11 01/15] binman: bintool: Build a tool from a list of commands
Add support to build a tool from source with a list of commands. This
is useful when a tool can be built with multiple commands instead of a
single command.
Signed-off-by: Sughosh Ganu
Reviewed-by: Simon Glass
---
Changes since V10: None
tools/binman/bintool.py | 19 +++
1 file changed, 11 insertions(+), 8 deletions(-)
diff --git a/tools/binman/bintool.py b/tools/binman/bintool.py
index 0b0f56dbbb..3c4ad1adbb 100644
--- a/tools/binman/bintool.py
+++ b/tools/binman/bintool.py
@@ -328,7 +328,7 @@ class Bintool:
return result.stdout
@classmethod
-def build_from_git(cls, git_repo, make_target, bintool_path, flags=None):
+def build_from_git(cls, git_repo, make_targets, bintool_path, flags=None):
"""Build a bintool from a git repo
This clones the repo in a temporary directory, builds it with 'make',
@@ -336,7 +336,8 @@ class Bintool:
Args:
git_repo (str): URL of git repo
-make_target (str): Target to pass to 'make' to build the tool
+make_targets (list of str): List of targets to pass to 'make' to
build
+the tool
bintool_path (str): Relative path of the tool in the repo, after
build is complete
flags (list of str): Flags or variables to pass to make, or None
@@ -350,12 +351,14 @@ class Bintool:
tmpdir = tempfile.mkdtemp(prefix='binmanf.')
print(f"- clone git repo '{git_repo}' to '{tmpdir}'")
tools.run('git', 'clone', '--depth', '1', git_repo, tmpdir)
-print(f"- build target '{make_target}'")
-cmd = ['make', '-C', tmpdir, '-j', f'{multiprocessing.cpu_count()}',
- make_target]
-if flags:
-cmd += flags
-tools.run(*cmd)
+for target in make_targets:
+print(f"- build target '{target}'")
+cmd = ['make', '-C', tmpdir, '-j',
f'{multiprocessing.cpu_count()}',
+ target]
+if flags:
+cmd += flags
+tools.run(*cmd)
+
fname = os.path.join(tmpdir, bintool_path)
if not os.path.exists(fname):
print(f"- File '{fname}' was not produced")
--
2.34.1
[PATCH v11 02/15] nuvoton: npcm845-evb: Add a newline at the end of file
Add a newline at the end of the dts, without which the build fails when including a dtsi file. Signed-off-by: Sughosh Ganu Reviewed-by: Simon Glass Reviewed-by: Ilias Apalodimas --- Changes since V10: None arch/arm/dts/nuvoton-npcm845-evb.dts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/arm/dts/nuvoton-npcm845-evb.dts b/arch/arm/dts/nuvoton-npcm845-evb.dts index 3cab7807e3..a93666cb41 100644 --- a/arch/arm/dts/nuvoton-npcm845-evb.dts +++ b/arch/arm/dts/nuvoton-npcm845-evb.dts @@ -354,4 +354,4 @@ &r1en_pins &r1oen_pins >; -}; \ No newline at end of file +}; -- 2.34.1
[PATCH v11 03/15] sandbox: capsule: Add keys and certificates needed for capsule update testing
Add the private keys and public key certificates which are to be used for capsule authentication while testing the EFI capsule update functionality. There are two pairs of private and public keys, good and bad. The good key pair will be used for signing capsules, whilst the bad key pair is to be used as malicious keys for testing authentication failure cases. The capsule_pub_key_good.crt is also converted to an EFI Signature List(ESL) file, SIGNER.esl, which is embedded in the platform's device-tree for capsule authentication. Signed-off-by: Sughosh Ganu Reviewed-by: Simon Glass --- Changes since V10: None board/sandbox/capsule_priv_key_bad.key | 28 board/sandbox/capsule_priv_key_good.key | 28 board/sandbox/capsule_pub_esl_good.esl | Bin 0 -> 831 bytes board/sandbox/capsule_pub_key_bad.crt | 19 board/sandbox/capsule_pub_key_good.crt | 19 5 files changed, 94 insertions(+) create mode 100644 board/sandbox/capsule_priv_key_bad.key create mode 100644 board/sandbox/capsule_priv_key_good.key create mode 100644 board/sandbox/capsule_pub_esl_good.esl create mode 100644 board/sandbox/capsule_pub_key_bad.crt create mode 100644 board/sandbox/capsule_pub_key_good.crt diff --git a/board/sandbox/capsule_priv_key_bad.key b/board/sandbox/capsule_priv_key_bad.key new file mode 100644 index 00..2324f69ebd --- /dev/null +++ b/board/sandbox/capsule_priv_key_bad.key @@ -0,0 +1,28 @@ +-BEGIN PRIVATE KEY- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCmPw1pGd2xNW0p +lesRXkkek3uwUB06Nt61tnZvpMkBKt4IokqGWz1tZls+Z2CqvwOfcsPZ27cPRYSu +xRnM3YdL4MG6SePV7i/YSNw3rq8CP8zLGtCbNIfsfsNfPQEtPBpw6+7pMJKhjqpV +2U2UQzZEiX4qlnhLpyv2JNJag27yf0feLdJi7HnJ9xdvcXpA1DSGm4y+DDhgYeI8 +DEteEu6s0TYQfnOZSQOeJi+1/Qz0S594uFJB37MyGh/mB15ILb8gva4nA3ayHOBK +0dd+HSiUCGYrLYO7aj+nfzQj9N1qTlzCnC1603bMczU5pkwcODg6xP0Sn11J6RYy +y0c0qzJLAgMBAAECggEABDY2MLoew3IkBltrParAWAUUcFLi95jw92q6BkOHEJg8 +2qia1yCitPUtPodMLmOKF5x4EdgXg5sv2O8MGbWP1VtUKXGh3QJcnRnNmsZ1hXJC +RBcrei2aVLsqf0V2Mg3+GuG8PW3vLWHyZ/Sd6afeuXEYm2Bzrw9J5rfd3dBVKm7f +HBvIyy1ATO/2cbUaEaCLOyhxLhssTI2TIK5SjlsjFLxiQXEi6RyGfBxUCriKZykS +krMdvYh7Tf0uYcv0STmQ5s5Rd+RhRIGCVAdsNBxxJjgBAgqqa/B+kWbcc6o2D41n +yWjErUaBBx3t0A7oT4K4DSTYwMNDVY3fhdd+szsocQKBgQDjnm8LG4UO6OQDm6iX +0vTQTItoAz5TU6GEjHTCfVEqiupD4LKfHhSXwp2hRyzxXO5oNTU9MQCzYd7Npes0 +oVk4Tjo3YDacNPgxqKjODu/Q+tkTH15ydzGr674+YXHfCA1uT5GKOiiF0H1FZgMa +Dk0s+3uWX34vbL4QCu97bUhBewKBgQC6+Z0J9sClgWvvjkglJN3XhRnAacp+WgX7 +bkpgSboXIIsqeqhd1WCLeV7L1pcZgifYBMPojf5LTBqBedL1q3RuqiqQWD/bSIYN +Oc9KCdTjksS8Zo+w+s5zDObDhW9y13H2mKwDqilYBrT4fiA62wPMf1SjEF+RSC6K +ZrQzHO1xcQKBgAILsXnLFIYOx8XUh05eAf9BQNt9c/jxvnjffkklMS6Nsw9LHK/b +aFn40MvbROcia64aFFFpeFUkYwk8HYIKlS+xXEqVHciHnVds6Z94eOVK69qFJKco +tRSTeNE8tPZJLz23j1pLrYOOXSHbidmZGU53MCQo1Yx9kLO6NW7Ji6WzAoGBALP4 +lEoE80Xbn3NEdvkZ1VcfzLvCmKCqMlvjuz+Xd8HPF2VaDznSq01VFAQMmAB7obJy +U8hC9OSxakn6Yy8JS9dBgBrUdxKxaibM4FQZxosOuMPHzMPDhniDkJPemnnmGtIL +/nbAkW8jdYpCjO9Z5PwwC92xYuvKmNGrLgSM8ZhhAoGAfgSZTpASXubM18E3ecfw +5z333wf9qEQgZj7i9MzByFZudyHUhv/FPW1ocUJf36Wu1dfofZg3noSL6oakrm2v +dFDo4PoyCStuF0w9SSzpIld01ZG0t7XqphY0DmshCXIXsqr7Vb4WrbBI7KX+b3Um +BzmROfaSud97NjQ/RA26OZk= +-END PRIVATE KEY- diff --git a/board/sandbox/capsule_priv_key_good.key b/board/sandbox/capsule_priv_key_good.key new file mode 100644 index 00..9a37f59796 --- /dev/null +++ b/board/sandbox/capsule_priv_key_good.key @@ -0,0 +1,28 @@ +-BEGIN PRIVATE KEY- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCwBfaV0P1jRzS6 +13U1T+4VbuMVsxFXhwHJY5z5Fx6v+cWBf3K1ruK+7cEnW55ZHXvNE2JCkjMvISKm +hI/DLJWIPnAus8tFdU/R2u5oJbKI+b6GbuamO/CG9HsXZ58lOC6r2ckjixxovsA9 +SFshccdIv2YrwiVsWeyFpH+rB3/+cFbrgdWpaUc1367GkU/ZCnSRDBvVvzRRI1a4 +y2NogFqbZHXHENpzWNJ3TTXhf9dwM5HFGkmX7SA43Dtazae6CB4EaUKzLYWj3+ae +AQbdvBrupKZQz1PUKn7X6+BGaLujHthvibYppNegPvqbJ1xBbv59CQK+lRULwC05 +NYw5+sIxAgMBAAECggEAHn8h/knjpMAw/BAZP//VrYP1Nwy7u/Dpl9U43JUrXWzG +Uc3dd2nR4id6GBIRCLqJePnbQ9JlqMwyXyxHZhbC34SF1imTVbjh9+dY99VULdQr +NMphDrsCzLbt3pu24HFv8Jk+dniDFwi5cMSo+U3nq4xxrLIp3rBjwLHD5sNZYyEU +9xZnj7ziTn5X8da8iRxNpyzz2kQeVemJ0ahr/IkX718bkakSFMesGkln06vH7rAs +069SeqOPrFEbWYXI5iMktLugl3JZpzasRE48j0M42PuProgvT7jb8B35ZF7kn0jT +MqTIHglsJRWcSY0fAb2lHSAvd2vLLVunxr9PDWZvGQKBgQDVzVTuvo1CrVrQLy+B +tpy2k5mjR3qxAOcoWTnKcMErLe8imWWaxukODenP4XqQIX4Sl+X3BXxOqun0Klap +FEsI7TWSHf0eULFtFj0SCgqfRR+V/nblP05eO2nFXgr5YdNa1bWf/aMHplBo4q9e +bbAr4InUB7IGWL2cWjhOhWuJbQKBgQDSw81cBM+vGPUYH/wlxlTVgZCo2Dg2NHjt +LUBqvOZNr21j2F+w8t1vKmqwhkqpc5HIi3pHjEA5gZLTRtmf4GQyo973I6MGn4bS +eayOd6/+FkAi9DUD+WaF7yctJqeevav6KF2UCiz78OtCAU5Y9jFFJpuOANIztI7m +t7ZCUpMFVQKBgFnAsP7oj3SGQbFTnaXeeztKCx04TJExx9hwXIpXe0AdMF5d9wFa +r0tvG9Bg34rSBJLZoXhpnR2JMl2FyIuCMV219t84J6IqTdF1nH2OKZdi9TeKc28Z +fFSirGxmZkT6hDeFr5FScLYtY2QkhWomseY5hKK1+E4hwrd4SFruN46hAoGBAJgh +nzTBgEtqH1enlrCJhSiLmihV0dVGcNb559pjuXTvoG0GfKPT2gPowRPkCzZe5ia0 +jrHgSWd44MtCA8nEBW8MG9+VyJH6Si3Yh7ZaLB2iX+8bCL1yow8f/c44bZtGW0F5 +K3q1EZ1VW+rL2IqcQhog8P1CGHgb514f0x3yTo71
[PATCH v11 04/15] sandbox: capsule: Enable EFI capsule module on sandbox variants
Enable the EFI capsule update code on all sandbox variants. This was already enabled on the sandbox, sandbox64 and sandbox_flattree variants. The rest of the variants also have the EFI capsule update module enabled now. With this commit, the mkeficapsule tool also gets enabled on all variants. Signed-off-by: Sughosh Ganu Reviewed-by: Simon Glass --- Changes since V10: None configs/sandbox_noinst_defconfig | 2 ++ configs/sandbox_spl_defconfig| 2 ++ configs/sandbox_vpl_defconfig| 2 ++ 3 files changed, 6 insertions(+) diff --git a/configs/sandbox_noinst_defconfig b/configs/sandbox_noinst_defconfig index 2c6aab6c85..e202ffccd2 100644 --- a/configs/sandbox_noinst_defconfig +++ b/configs/sandbox_noinst_defconfig @@ -237,6 +237,8 @@ CONFIG_TPM=y CONFIG_LZ4=y CONFIG_ZSTD=y CONFIG_ERRNO_STR=y +CONFIG_EFI_CAPSULE_ON_DISK=y +CONFIG_EFI_CAPSULE_FIRMWARE_RAW=y CONFIG_UNIT_TEST=y CONFIG_SPL_UNIT_TEST=y CONFIG_UT_TIME=y diff --git a/configs/sandbox_spl_defconfig b/configs/sandbox_spl_defconfig index 8d50162b27..25a21b8493 100644 --- a/configs/sandbox_spl_defconfig +++ b/configs/sandbox_spl_defconfig @@ -245,6 +245,8 @@ CONFIG_LZ4=y CONFIG_ZSTD=y CONFIG_ERRNO_STR=y CONFIG_SPL_HEXDUMP=y +CONFIG_EFI_CAPSULE_ON_DISK=y +CONFIG_EFI_CAPSULE_FIRMWARE_RAW=y CONFIG_UNIT_TEST=y CONFIG_SPL_UNIT_TEST=y CONFIG_UT_TIME=y diff --git a/configs/sandbox_vpl_defconfig b/configs/sandbox_vpl_defconfig index f3a0fd19a9..a9a7136ce7 100644 --- a/configs/sandbox_vpl_defconfig +++ b/configs/sandbox_vpl_defconfig @@ -256,6 +256,8 @@ CONFIG_LZ4=y CONFIG_ZSTD=y # CONFIG_VPL_LZMA is not set CONFIG_ERRNO_STR=y +CONFIG_EFI_CAPSULE_ON_DISK=y +CONFIG_EFI_CAPSULE_FIRMWARE_RAW=y CONFIG_UNIT_TEST=y CONFIG_SPL_UNIT_TEST=y CONFIG_UT_TIME=y -- 2.34.1
[PATCH v11 05/15] btool: mkeficapsule: Add a bintool for EFI capsule generation
Add a bintool for generating EFI capsules. This calls the mkeficapsule
tool which generates the capsules.
Signed-off-by: Sughosh Ganu
Reviewed-by: Simon Glass
---
Changes since V10: None
tools/binman/btool/mkeficapsule.py | 101 +
1 file changed, 101 insertions(+)
create mode 100644 tools/binman/btool/mkeficapsule.py
diff --git a/tools/binman/btool/mkeficapsule.py
b/tools/binman/btool/mkeficapsule.py
new file mode 100644
index 00..61179747ff
--- /dev/null
+++ b/tools/binman/btool/mkeficapsule.py
@@ -0,0 +1,101 @@
+# SPDX-License-Identifier: GPL-2.0+
+# Copyright 2023 Linaro Limited
+#
+"""Bintool implementation for mkeficapsule tool
+
+mkeficapsule is a tool used for generating EFI capsules.
+
+The following are the commandline options to be provided
+to the tool
+Usage: mkeficapsule [options]
+Options:
+ -g, --guid guid for image blob type
+ -i, --index update image index
+ -I, --instanceupdate hardware instance
+ -v, --fw-version firmware version
+ -p, --private-key private key file
+ -c, --certificate signer's certificate file
+ -m, --monotonic-count monotonic count
+ -d, --dump_sig dump signature (*.p7)
+ -A, --fw-accept firmware accept capsule, requires GUID, no image blob
+ -R, --fw-revert firmware revert capsule, takes no GUID, no image blob
+ -o, --capoemflag Capsule OEM Flag, an integer between 0x and 0x
+ -h, --help print a help message
+"""
+
+from binman import bintool
+
+class Bintoolmkeficapsule(bintool.Bintool):
+"""Handles the 'mkeficapsule' tool
+
+This bintool is used for generating the EFI capsules. The
+capsule generation parameters can either be specified through
+commandline, or through a config file.
+"""
+def __init__(self, name):
+super().__init__(name, 'mkeficapsule tool for generating capsules')
+
+def generate_capsule(self, image_index, image_guid, hardware_instance,
+ payload, output_fname, priv_key, pub_key,
+ monotonic_count=0, version=0, oemflags=0):
+"""Generate a capsule through commandline-provided parameters
+
+Args:
+image_index (int): Unique number for identifying payload image
+image_guid (str): GUID used for identifying the image
+hardware_instance (int): Optional unique hardware instance of
+a device in the system. 0 if not being used
+payload (str): Path to the input payload image
+output_fname (str): Path to the output capsule file
+priv_key (str): Path to the private key
+pub_key(str): Path to the public key
+monotonic_count (int): Count used when signing an image
+version (int): Image version (Optional)
+oemflags (int): Optional 16 bit OEM flags
+
+Returns:
+str: Tool output
+"""
+args = [
+f'--index={image_index}',
+f'--guid={image_guid}',
+f'--instance={hardware_instance}'
+]
+
+if version:
+args += [f'--fw-version={version}']
+if oemflags:
+args += [f'--capoemflag={oemflags}']
+if priv_key and pub_key:
+args += [
+f'--monotonic-count={monotonic_count}',
+f'--private-key={priv_key}',
+f'--certificate={pub_key}'
+]
+
+args += [
+payload,
+output_fname
+]
+
+return self.run_cmd(*args)
+
+def fetch(self, method):
+"""Fetch handler for mkeficapsule
+
+This builds the tool from source
+
+Returns:
+tuple:
+str: Filename of fetched file to copy to a suitable directory
+str: Name of temp directory to remove, or None
+"""
+if method != bintool.FETCH_BUILD:
+return None
+
+cmd = ['tools-only_defconfig', 'tools']
+result = self.build_from_git(
+'https://source.denx.de/u-boot/u-boot.git',
+cmd,
+'tools/mkeficapsule')
+return result
--
2.34.1
[PATCH v11 06/15] binman: capsule: Add support for generating EFI capsules
Add support in binman for generating EFI capsules. The capsule
parameters can be specified through the capsule binman entry. Also add
test cases in binman for testing capsule generation.
Signed-off-by: Sughosh Ganu
Reviewed-by: Simon Glass
---
Changes since V10: None
tools/binman/entries.rst | 64
tools/binman/etype/efi_capsule.py | 143 ++
tools/binman/ftest.py | 118 +++
tools/binman/test/311_capsule.dts | 21 +++
tools/binman/test/312_capsule_signed.dts | 23 +++
tools/binman/test/313_capsule_version.dts | 22 +++
tools/binman/test/314_capsule_signed_ver.dts | 24 +++
tools/binman/test/315_capsule_oemflags.dts| 22 +++
tools/binman/test/316_capsule_missing_key.dts | 22 +++
.../binman/test/317_capsule_missing_index.dts | 20 +++
.../binman/test/318_capsule_missing_guid.dts | 19 +++
11 files changed, 498 insertions(+)
create mode 100644 tools/binman/etype/efi_capsule.py
create mode 100644 tools/binman/test/311_capsule.dts
create mode 100644 tools/binman/test/312_capsule_signed.dts
create mode 100644 tools/binman/test/313_capsule_version.dts
create mode 100644 tools/binman/test/314_capsule_signed_ver.dts
create mode 100644 tools/binman/test/315_capsule_oemflags.dts
create mode 100644 tools/binman/test/316_capsule_missing_key.dts
create mode 100644 tools/binman/test/317_capsule_missing_index.dts
create mode 100644 tools/binman/test/318_capsule_missing_guid.dts
diff --git a/tools/binman/entries.rst b/tools/binman/entries.rst
index e7dfe6b2a3..801bd94674 100644
--- a/tools/binman/entries.rst
+++ b/tools/binman/entries.rst
@@ -468,6 +468,70 @@ updating the EC on startup via software sync.
+.. _etype_efi_capsule:
+
+Entry: capsule: Entry for generating EFI Capsule files
+--
+
+The parameters needed for generation of the capsules can be provided
+as properties in the entry.
+
+Properties / Entry arguments:
+- image-index: Unique number for identifying corresponding
+ payload image. Number between 1 and descriptor count, i.e.
+ the total number of firmware images that can be updated. Mandatory
+ property.
+- image-guid: Image GUID which will be used for identifying the
+ updatable image on the board. Mandatory property.
+- hardware-instance: Optional number for identifying unique
+ hardware instance of a device in the system. Default value of 0
+ for images where value is not to be used.
+- fw-version: Value of image version that can be put on the capsule
+ through the Firmware Management Protocol(FMP) header.
+- monotonic-count: Count used when signing an image.
+- private-key: Path to PEM formatted .key private key file. Mandatory
+ property for generating signed capsules.
+- public-key-cert: Path to PEM formatted .crt public key certificate
+ file. Mandatory property for generating signed capsules.
+- oem-flags - OEM flags to be passed through capsule header.
+
+Since this is a subclass of Entry_section, all properties of the parent
+class also apply here. Except for the properties stated as mandatory, the
+rest of the properties are optional.
+
+For more details on the description of the capsule format, and the capsule
+update functionality, refer Section 8.5 and Chapter 23 in the `UEFI
+specification`_.
+
+The capsule parameters like image index and image GUID are passed as
+properties in the entry. The payload to be used in the capsule is to be
+provided as a subnode of the capsule entry.
+
+A typical capsule entry node would then look something like this::
+
+capsule {
+type = "efi-capsule";
+image-index = <0x1>;
+/* Image GUID for testing capsule update */
+image-guid = SANDBOX_UBOOT_IMAGE_GUID;
+hardware-instance = <0x0>;
+private-key = "path/to/the/private/key";
+public-key-cert = "path/to/the/public-key-cert";
+oem-flags = <0x8000>;
+
+u-boot {
+};
+};
+
+In the above example, the capsule payload is the U-Boot image. The
+capsule entry would read the contents of the payload and put them
+into the capsule. Any external file can also be specified as the
+payload using the blob-ext subnode.
+
+.. _`UEFI specification`:
https://uefi.org/sites/default/files/resources/UEFI_Spec_2_10_Aug29.pdf
+
+
+
.. _etype_encrypted:
Entry: encrypted: Externally built encrypted binary blob
diff --git a/tools/binman/etype/efi_capsule.py
b/tools/binman/etype/efi_capsule.py
new file mode 100644
index 00..006eb630ad
--- /dev/null
+++ b/tools/binman/etype/efi_capsule.py
@@ -0,0 +1,143 @@
+# SPDX-License-Identifier: GPL-2.0+
+# Copyright (c) 2023 Linaro Limited
+#
+# Entry-type module for producing a EFI capsule
+#
+
+import os
+
+from binman.entr
[PATCH v11 07/15] test: capsule: Generate EFI capsules through binman
Support has been added for generating the EFI capsules through
binman. Make changes in the EFI capsule update testing feature to
generate capsules through binman.
Signed-off-by: Sughosh Ganu
---
Changes since V10:
* Remove the sandbox_capsule.dtsi file.
* Remove addition of multiple-images property from sandbox.dts and
test.dts as the capsule generation is moved to the test.
* Add the capsule_gen_binman.dts with binman nodes for capsule
generation.
* Call the binman tool as part of the capsule test setup for
generation of capsules.
include/sandbox_efi_capsule.h | 21 ++
.../test_efi_capsule/capsule_gen_binman.dts | 321 ++
test/py/tests/test_efi_capsule/conftest.py| 163 ++---
.../tests/test_efi_capsule/uboot_bin_env.its | 36 --
4 files changed, 367 insertions(+), 174 deletions(-)
create mode 100644 include/sandbox_efi_capsule.h
create mode 100644 test/py/tests/test_efi_capsule/capsule_gen_binman.dts
delete mode 100644 test/py/tests/test_efi_capsule/uboot_bin_env.its
diff --git a/include/sandbox_efi_capsule.h b/include/sandbox_efi_capsule.h
new file mode 100644
index 00..3e288e8a84
--- /dev/null
+++ b/include/sandbox_efi_capsule.h
@@ -0,0 +1,21 @@
+// SPDX-License-Identifier: GPL-2.0+
+/*
+ * Copyright (c) 2023, Linaro Limited
+ */
+
+#if !defined(_SANDBOX_EFI_CAPSULE_H_)
+#define _SANDBOX_EFI_CAPSULE_H_
+
+#define SANDBOX_UBOOT_IMAGE_GUID "09d7cf52-0720-4710-91d1-08469b7fe9c8"
+#define SANDBOX_UBOOT_ENV_IMAGE_GUID "5a7021f5-fef2-48b4-aaba-832e777418c0"
+#define SANDBOX_FIT_IMAGE_GUID "3673b45d-6a7c-46f3-9e60-adabb03f7937"
+#define SANDBOX_INCORRECT_GUID "058b7d83-50d5-4c47-a195-60d86ad341c4"
+
+#define UBOOT_FIT_IMAGE"u-boot_bin_env.itb"
+
+#define CAPSULE_PRIV_KEY "capsule_priv_key_good.key"
+#define CAPSULE_PUB_KEY"capsule_pub_key_good.crt"
+#define CAPSULE_INVAL_KEY "capsule_priv_key_bad.key"
+#define CAPSULE_INVAL_PUB_KEY "capsule_pub_key_bad.crt"
+
+#endif /* _SANDBOX_EFI_CAPSULE_H_ */
diff --git a/test/py/tests/test_efi_capsule/capsule_gen_binman.dts
b/test/py/tests/test_efi_capsule/capsule_gen_binman.dts
new file mode 100644
index 00..e8a1858509
--- /dev/null
+++ b/test/py/tests/test_efi_capsule/capsule_gen_binman.dts
@@ -0,0 +1,321 @@
+// SPDX-License-Identifier: GPL-2.0+
+/*
+ * Devicetree for capsule generation through binman
+ */
+
+/dts-v1/;
+
+#include
+
+/ {
+ binman: binman {
+ multiple-images;
+ };
+};
+
+&binman {
+ itb {
+ filename = UBOOT_FIT_IMAGE;
+
+ fit {
+ description = "Automatic U-Boot environment update";
+ #address-cells = <2>;
+
+ images {
+ u-boot-bin {
+ description = "U-Boot binary on SPI
Flash";
+ compression = "none";
+ type = "firmware";
+ arch = "sandbox";
+ load = <0>;
+ text {
+ text = "u-boot:New";
+ };
+
+ hash-1 {
+ algo = "sha1";
+ };
+ };
+ u-boot-env {
+ description = "U-Boot environment on
SPI Flash";
+ compression = "none";
+ type = "firmware";
+ arch = "sandbox";
+ load = <0>;
+ text {
+ text = "u-boot-env:New";
+ };
+
+ hash-1 {
+ algo = "sha1";
+ };
+ };
+ };
+ };
+ };
+
+ capsule1 {
+ filename = "Test01";
+ efi-capsule {
+ image-index = <0x1>;
+ image-guid = SANDBOX_UBOOT_IMAGE_GUID;
+
+ text {
+ text = "u-boot:New";
+ };
+ };
+ };
+
+ capsule2
[PATCH v11 08/15] doc: Add documentation to highlight capsule generation related updates
The EFI capsules can now be generated as part of U-Boot build, through
binman. Highlight these changes in the documentation.
Signed-off-by: Sughosh Ganu
Acked-by: Heinrich Schuchardt
---
Changes since V10:
* Add an example binman capsule node which shows how a capsule can be
generated through binman.
doc/develop/uefi/uefi.rst | 40 +++
1 file changed, 40 insertions(+)
diff --git a/doc/develop/uefi/uefi.rst b/doc/develop/uefi/uefi.rst
index a7a41f2fac..f27cabbcce 100644
--- a/doc/develop/uefi/uefi.rst
+++ b/doc/develop/uefi/uefi.rst
@@ -318,6 +318,9 @@ Run the following command
--guid \
+Capsule with firmware version
+*
+
The UEFI specification does not define the firmware versioning mechanism.
EDK II reference implementation inserts the FMP Payload Header right before
the payload. It coutains the fw_version and lowest supported version,
@@ -345,6 +348,43 @@ add --fw-version option in mkeficapsule tool.
If the --fw-version option is not set, FMP Payload Header is not inserted
and fw_version is set as 0.
+Capsule Generation through binman
+*
+
+Support has also been added to generate capsules during U-Boot build
+through binman. This requires the platform's DTB to be populated with
+the capsule entry nodes for binman. The capsules then can be generated
+by specifying the capsule parameters as properties in the capsule
+entry node.
+
+Check the test/py/tests/test_efi_capsule/capsule_gen_binman.dts file
+as reference for how a typical binman node for capsule generation
+looks like. For generating capsules as part of the platform's build, a
+capsule node would then have to be included into the platform's
+devicetree.
+
+A typical binman node for generating a capsule would look like::
+
+ capsule {
+ filename = "u-boot.capsule";
+ efi-capsule {
+ image-index = <0x1>;
+ image-guid = "09d7cf52-0720-4710-91d1-08469b7fe9c8";
+
+ u-boot {
+ };
+ };
+ };
+
+In the above example, a capsule file named u-boot.capsule will be
+generated with u-boot.bin as it's input payload. The capsule
+generation parameters like image-index and image-guid are being
+specified as properties. Similarly, other properties like the private
+and public key certificate can be specified for generating signed
+capsules. Refer :ref:`etype_efi_capsule` for documentation about the
+efi-capsule binman entry type, which describes all the properties that
+can be specified.
+
Performing the update
*
--
2.34.1
[PATCH v11 09/15] sandbox: trace: Increase trace buffer size
When running the trace test on the sandbox platform, the current size
of 16MiB is no longer large enough for capturing the entire trace
history, and results in truncation. Use a size of 32MiB for the trace
buffer on the sandbox platform while running the trace test.
Signed-off-by: Sughosh Ganu
Reviewed-by: Simon Glass
---
Changes since V10: None
.azure-pipelines.yml| 2 +-
.gitlab-ci.yml | 2 +-
test/py/tests/test_trace.py | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/.azure-pipelines.yml b/.azure-pipelines.yml
index 0be317b388..d4591234c4 100644
--- a/.azure-pipelines.yml
+++ b/.azure-pipelines.yml
@@ -275,7 +275,7 @@ stages:
TEST_PY_BD: "sandbox"
BUILD_ENV: "FTRACE=1 NO_LTO=1"
TEST_PY_TEST_SPEC: "trace"
- OVERRIDE: "-a CONFIG_TRACE=y -a CONFIG_TRACE_EARLY=y -a
CONFIG_TRACE_EARLY_SIZE=0x0100"
+ OVERRIDE: "-a CONFIG_TRACE=y -a CONFIG_TRACE_EARLY=y -a
CONFIG_TRACE_EARLY_SIZE=0x0100 -a CONFIG_TRACE_BUFFER_SIZE=0x0200"
coreboot:
TEST_PY_BD: "coreboot"
TEST_PY_ID: "--id qemu"
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 5750d82023..cef42aca8c 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -315,7 +315,7 @@ sandbox trace_test.py:
TEST_PY_BD: "sandbox"
BUILD_ENV: "FTRACE=1 NO_LTO=1"
TEST_PY_TEST_SPEC: "trace"
-OVERRIDE: "-a CONFIG_TRACE=y -a CONFIG_TRACE_EARLY=y -a
CONFIG_TRACE_EARLY_SIZE=0x0100"
+OVERRIDE: "-a CONFIG_TRACE=y -a CONFIG_TRACE_EARLY=y -a
CONFIG_TRACE_EARLY_SIZE=0x0100 -a CONFIG_TRACE_BUFFER_SIZE=0x0200"
<<: *buildman_and_testpy_dfn
evb-ast2500 test.py:
diff --git a/test/py/tests/test_trace.py b/test/py/tests/test_trace.py
index ac3e95925e..ad2250920d 100644
--- a/test/py/tests/test_trace.py
+++ b/test/py/tests/test_trace.py
@@ -61,7 +61,7 @@ def collect_trace(cons):
# Read out the trace data
addr = 0x0200
-size = 0x0100
+size = 0x0200
out = cons.run_command(f'trace calls {addr:x} {size:x}')
print(out)
fname = os.path.join(TMPDIR, 'trace')
--
2.34.1
[PATCH v11 10/15] scripts/Makefile.lib: Collate all dtsi files for inclusion
At the time of building a device-tree file, all the *u-boot.dtsi files
are looked for, in a particular order, and the first file found is
included. Then, the list of files specified in the
CONFIG_DEVICE_TREE_INCLUDES symbol are included.
Combine these files that are to be included into a variable, and then
include all these files in one go.
Signed-off-by: Sughosh Ganu
Reviewed-by: Tom Rini
Acked-by: Ilias Apalodimas
---
Changes since V10: None
scripts/Makefile.lib | 11 +++
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/scripts/Makefile.lib b/scripts/Makefile.lib
index f5ab7af0f4..368b5a3e28 100644
--- a/scripts/Makefile.lib
+++ b/scripts/Makefile.lib
@@ -179,10 +179,13 @@ ifdef DEVICE_TREE_DEBUG
u_boot_dtsi_options_debug = $(warning $(u_boot_dtsi_options_raw))
endif
-# We use the first match
-u_boot_dtsi = $(strip $(u_boot_dtsi_options_debug) \
+# We use the first match to be included
+dtsi_include_list = $(strip $(u_boot_dtsi_options_debug) \
$(notdir $(firstword $(u_boot_dtsi_options
+# The CONFIG_DEVICE_TREE_INCLUDES also need to be included
+dtsi_include_list += $(CONFIG_DEVICE_TREE_INCLUDES)
+
# Modified for U-Boot
dtc_cpp_flags = -Wp,-MD,$(depfile).pre.tmp -nostdinc\
$(UBOOTINCLUDE) \
@@ -320,8 +323,8 @@ quiet_cmd_dtc = DTC $@
# Bring in any U-Boot-specific include at the end of the file
# And finally any custom .dtsi fragments specified with
CONFIG_DEVICE_TREE_INCLUDES
cmd_dtc = mkdir -p $(dir ${dtc-tmp}) ; \
- (cat $<; $(if $(u_boot_dtsi),echo '$(pound)include "$(u_boot_dtsi)"'))
> $(pre-tmp); \
- $(foreach f,$(subst $(quote),,$(CONFIG_DEVICE_TREE_INCLUDES)), \
+ (cat $< > $(pre-tmp)); \
+ $(foreach f,$(subst $(quote),,$(dtsi_include_list)), \
echo '$(pound)include "$(f)"' >> $(pre-tmp);) \
$(HOSTCC) -E $(dtc_cpp_flags) -x assembler-with-cpp -o $(dtc-tmp)
$(pre-tmp) ; \
$(DTC) -O dtb -o $@ -b 0 \
--
2.34.1
[PATCH v11 11/15] scripts/Makefile.lib: Add dtsi include files as deps for building DTB
At the time of building the DTB, some dtsi files can be selected for
inclusion. Have these dtsi files as dependencies for the DTB
target. This also ensures generation or updating the dtsi files if
need be.
Signed-off-by: Sughosh Ganu
Acked-by: Ilias Apalodimas
Reviewed-by: Tom Rini
---
Changes since V10: None
scripts/Makefile.lib | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/scripts/Makefile.lib b/scripts/Makefile.lib
index 368b5a3e28..8c5e25c31c 100644
--- a/scripts/Makefile.lib
+++ b/scripts/Makefile.lib
@@ -334,7 +334,9 @@ cmd_dtc = mkdir -p $(dir ${dtc-tmp}) ; \
; \
sed "s:$(pre-tmp):$(<):" $(depfile).pre.tmp $(depfile).dtc.tmp >
$(depfile)
-$(obj)/%.dtb: $(src)/%.dts $(DTC) FORCE
+dtsi_include_list_deps = $(addprefix $(obj)/,$(subst
$(quote),,$(dtsi_include_list)))
+
+$(obj)/%.dtb: $(src)/%.dts $(DTC) $(dtsi_include_list_deps) FORCE
$(call if_changed_dep,dtc)
pre-tmp = $(subst $(comma),_,$(dot-target).pre.tmp)
--
2.34.1
[PATCH v11 12/15] scripts/Makefile.lib: Embed capsule public key in platform's dtb
The EFI capsule authentication logic in u-boot expects the public key
in the form of an EFI Signature List(ESL) to be provided as part of
the platform's dtb. Currently, the embedding of the ESL file into the
dtb needs to be done manually.
Add a target for generating a dtsi file which contains the signature
node with the ESL file included as a property under the signature
node. Include the dtsi file in the dtb. This brings the embedding of
the ESL in the dtb into the U-Boot build flow.
The path to the ESL file is specified through the
CONFIG_EFI_CAPSULE_ESL_FILE symbol.
Signed-off-by: Sughosh Ganu
Reviewed-by: Tom Rini
Reviewed-by: Ilias Apalodimas
---
Changes since V10: None
lib/efi_loader/Kconfig | 8
lib/efi_loader/capsule_esl.dtsi.in | 11 +++
scripts/Makefile.lib | 15 +++
3 files changed, 34 insertions(+)
create mode 100644 lib/efi_loader/capsule_esl.dtsi.in
diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig
index 9989e3f384..d20aaab6db 100644
--- a/lib/efi_loader/Kconfig
+++ b/lib/efi_loader/Kconfig
@@ -272,6 +272,14 @@ config EFI_CAPSULE_MAX
Select the max capsule index value used for capsule report
variables. This value is used to create CapsuleMax variable.
+config EFI_CAPSULE_ESL_FILE
+ string "Path to the EFI Signature List File"
+ depends on EFI_CAPSULE_AUTHENTICATE
+ help
+ Provides the path to the EFI Signature List file which will
+ be embedded in the platform's device tree and used for
+ capsule authentication at the time of capsule update.
+
config EFI_DEVICE_PATH_TO_TEXT
bool "Device path to text protocol"
default y
diff --git a/lib/efi_loader/capsule_esl.dtsi.in
b/lib/efi_loader/capsule_esl.dtsi.in
new file mode 100644
index 00..61a9f2b25e
--- /dev/null
+++ b/lib/efi_loader/capsule_esl.dtsi.in
@@ -0,0 +1,11 @@
+// SPDX-License-Identifier: GPL-2.0+
+/**
+ * Devicetree file with the public key EFI Signature List(ESL)
+ * node. This file is used to generate the dtsi file to be
+ * included into the DTB.
+*/
+/ {
+ signature {
+ capsule-key = /incbin/("ESL_BIN_FILE");
+ };
+};
diff --git a/scripts/Makefile.lib b/scripts/Makefile.lib
index 8c5e25c31c..3cec46bb15 100644
--- a/scripts/Makefile.lib
+++ b/scripts/Makefile.lib
@@ -334,6 +334,21 @@ cmd_dtc = mkdir -p $(dir ${dtc-tmp}) ; \
; \
sed "s:$(pre-tmp):$(<):" $(depfile).pre.tmp $(depfile).dtc.tmp >
$(depfile)
+quiet_cmd_capsule_esl_gen = CAPSULE_ESL_GEN $@
+cmd_capsule_esl_gen = \
+ $(shell sed "s:ESL_BIN_FILE:$(capsule_esl_path):"
$(capsule_esl_input_file) > $@)
+
+$(obj)/.capsule_esl.dtsi:
+ $(call cmd_capsule_esl_gen)
+
+capsule_esl_input_file=$(srctree)/lib/efi_loader/capsule_esl.dtsi.in
+capsule_esl_dtsi = .capsule_esl.dtsi
+capsule_esl_path=$(abspath $(srctree)/$(subst
$(quote),,$(CONFIG_EFI_CAPSULE_ESL_FILE)))
+
+ifdef CONFIG_EFI_CAPSULE_AUTHENTICATE
+dtsi_include_list += $(capsule_esl_dtsi)
+endif
+
dtsi_include_list_deps = $(addprefix $(obj)/,$(subst
$(quote),,$(dtsi_include_list)))
$(obj)/%.dtb: $(src)/%.dts $(DTC) $(dtsi_include_list_deps) FORCE
--
2.34.1
[PATCH v11 13/15] sandbox: capsule: Add path to the public key ESL file
Add the path to the public key EFI Signature List(ESL) file for the sandbox variants which enable capsule authentication. This ESL file gets embedded into the platform's device-tree as part of the build. Signed-off-by: Sughosh Ganu --- Changes since V10: None configs/sandbox_defconfig | 1 + configs/sandbox_flattree_defconfig | 1 + 2 files changed, 2 insertions(+) diff --git a/configs/sandbox_defconfig b/configs/sandbox_defconfig index 1cd1c2ed7c..9f349d482b 100644 --- a/configs/sandbox_defconfig +++ b/configs/sandbox_defconfig @@ -340,6 +340,7 @@ CONFIG_EFI_RUNTIME_UPDATE_CAPSULE=y CONFIG_EFI_CAPSULE_ON_DISK=y CONFIG_EFI_CAPSULE_FIRMWARE_RAW=y CONFIG_EFI_CAPSULE_AUTHENTICATE=y +CONFIG_EFI_CAPSULE_ESL_FILE="board/sandbox/capsule_pub_esl_good.esl" CONFIG_EFI_SECURE_BOOT=y CONFIG_TEST_FDTDEC=y CONFIG_UNIT_TEST=y diff --git a/configs/sandbox_flattree_defconfig b/configs/sandbox_flattree_defconfig index 8aa295686d..2a24b38cfb 100644 --- a/configs/sandbox_flattree_defconfig +++ b/configs/sandbox_flattree_defconfig @@ -227,6 +227,7 @@ CONFIG_EFI_RUNTIME_UPDATE_CAPSULE=y CONFIG_EFI_CAPSULE_ON_DISK=y CONFIG_EFI_CAPSULE_FIRMWARE_FIT=y CONFIG_EFI_CAPSULE_AUTHENTICATE=y +CONFIG_EFI_CAPSULE_ESL_FILE="board/sandbox/capsule_pub_esl_good.esl" CONFIG_UNIT_TEST=y CONFIG_UT_TIME=y CONFIG_UT_DM=y -- 2.34.1
[PATCH v11 14/15] test: capsule: Remove logic to add public key ESL
The public key EFI Signature List(ESL) needed for capsule
authentication is now embedded into the platform's DTB as part of the
build. Remove the superfluous logic from the test setup.
Signed-off-by: Sughosh Ganu
---
Changes since V10: None
test/py/tests/test_efi_capsule/conftest.py | 14 --
test/py/tests/test_efi_capsule/signature.dts | 10 --
2 files changed, 4 insertions(+), 20 deletions(-)
delete mode 100644 test/py/tests/test_efi_capsule/signature.dts
diff --git a/test/py/tests/test_efi_capsule/conftest.py
b/test/py/tests/test_efi_capsule/conftest.py
index 9160f294e6..dd41da9284 100644
--- a/test/py/tests/test_efi_capsule/conftest.py
+++ b/test/py/tests/test_efi_capsule/conftest.py
@@ -51,21 +51,15 @@ def efi_capsule_data(request, u_boot_config):
check_call('cp %s/capsule_pub_key_bad.crt %s/SIGNER2.crt'
% (key_dir, data_dir), shell=True)
-# Update dtb adding capsule certificate
-check_call('cd %s; '
- 'cp %s/test/py/tests/test_efi_capsule/signature.dts .'
- % (data_dir, u_boot_config.source_dir), shell=True)
-check_call('cd %s; '
- 'dtc -@ -I dts -O dtb -o signature.dtbo signature.dts; '
- 'fdtoverlay -i %s/arch/sandbox/dts/test.dtb '
-'-o test_sig.dtb signature.dtbo'
- % (data_dir, u_boot_config.build_dir), shell=True)
-
# Update dtb to add the version information
check_call('cd %s; '
'cp %s/test/py/tests/test_efi_capsule/version.dts .'
% (data_dir, u_boot_config.source_dir), shell=True)
+
if capsule_auth_enabled:
+check_call('cd %s; '
+ 'cp %s/arch/sandbox/dts/test.dtb test_sig.dtb'
+ % (data_dir, u_boot_config.build_dir), shell=True)
check_call('cd %s; '
'dtc -@ -I dts -O dtb -o version.dtbo version.dts; '
'fdtoverlay -i test_sig.dtb '
diff --git a/test/py/tests/test_efi_capsule/signature.dts
b/test/py/tests/test_efi_capsule/signature.dts
deleted file mode 100644
index 078cfc76c9..00
--- a/test/py/tests/test_efi_capsule/signature.dts
+++ /dev/null
@@ -1,10 +0,0 @@
-// SPDX-License-Identifier: GPL-2.0+
-
-/dts-v1/;
-/plugin/;
-
-&{/} {
- signature {
- capsule-key = /incbin/("SIGNER.esl");
- };
-};
--
2.34.1
[PATCH v11 15/15] doc: capsule: Document the new mechanism to embed ESL file into dtb
Update the document to specify how the EFI Signature List(ESL) file
can be embedded into the platform's dtb as part of the U-Boot build.
Signed-off-by: Sughosh Ganu
Reviewed-by: Ilias Apalodimas
---
Changes since V10: None
doc/develop/uefi/uefi.rst | 19 +--
1 file changed, 5 insertions(+), 14 deletions(-)
diff --git a/doc/develop/uefi/uefi.rst b/doc/develop/uefi/uefi.rst
index f27cabbcce..68f9b332d1 100644
--- a/doc/develop/uefi/uefi.rst
+++ b/doc/develop/uefi/uefi.rst
@@ -562,20 +562,11 @@ and used by the steps highlighted below.
...
}
-You can do step-4 manually with
-
-.. code-block:: console
-
-$ dtc -@ -I dts -O dtb -o signature.dtbo signature.dts
-$ fdtoverlay -i orig.dtb -o new.dtb -v signature.dtbo
-
-where signature.dts looks like::
-
-&{/} {
-signature {
-capsule-key = /incbin/("CRT.esl");
-};
-};
+You can perform step-4 through the Kconfig symbol
+CONFIG_EFI_CAPSULE_ESL_FILE. This symbol points to the esl file
+generated in step-2. Once the symbol has been populated with the path
+to the esl file, it will automatically get embedded into the
+platform's dtb as part of U-Boot build.
Anti-rollback Protection
--
2.34.1
Re: [PATCH] fwu: Initialize global fwu library state during CI test
On Wed, 23 Aug 2023 at 05:47, Marek Vasut
wrote:
>
> The current CI test worked by sheer luck, the g_dev global pointer
> in the fwu library was never initialized and the test equally well
> failed on sandbox64. Trigger the main loop in sandbox tests too to
> initialize that global state, and move the sandbox specific exit
> from fwu_boottime_checks after g_dev is initialized.
>
> Signed-off-by: Marek Vasut
> ---
> Cc: Etienne Carriere
> Cc: Ilias Apalodimas
> Cc: Jassi Brar
> Cc: Masahisa Kojima
> Cc: Michal Simek
> Cc: Patrick Delaunay
> Cc: Simon Glass
> Cc: Sughosh Ganu
> ---
> lib/fwu_updates/fwu.c | 12 ++--
> test/dm/fwu_mdata.c | 12
> 2 files changed, 18 insertions(+), 6 deletions(-)
Acked-by: Sughosh Ganu
But I have a question below.
>
> diff --git a/lib/fwu_updates/fwu.c b/lib/fwu_updates/fwu.c
> index 4d0c8b84b9d..22bdc78df59 100644
> --- a/lib/fwu_updates/fwu.c
> +++ b/lib/fwu_updates/fwu.c
> @@ -623,18 +623,18 @@ static int fwu_boottime_checks(void *ctx, struct event
> *event)
> int ret;
> u32 boot_idx, active_idx;
>
> - /* Don't have boot time checks on sandbox */
> - if (IS_ENABLED(CONFIG_SANDBOX)) {
> - boottime_check = 1;
> - return 0;
> - }
> -
> ret = uclass_first_device_err(UCLASS_FWU_MDATA, &g_dev);
> if (ret) {
> log_debug("Cannot find fwu device\n");
> return ret;
> }
>
> + /* Don't have boot time checks on sandbox */
> + if (IS_ENABLED(CONFIG_SANDBOX)) {
> + boottime_check = 1;
> + return 0;
> + }
> +
> ret = fwu_get_mdata(NULL);
> if (ret) {
> log_debug("Unable to read meta-data\n");
> diff --git a/test/dm/fwu_mdata.c b/test/dm/fwu_mdata.c
> index 8b5c83ef4e2..52018f610fe 100644
> --- a/test/dm/fwu_mdata.c
> +++ b/test/dm/fwu_mdata.c
> @@ -93,6 +93,12 @@ static int dm_test_fwu_mdata_read(struct unit_test_state
> *uts)
> struct udevice *dev;
> struct fwu_mdata mdata = { 0 };
>
> + /*
> +* Trigger lib/fwu_updates/fwu.c fwu_boottime_checks()
> +* to populate g_dev global pointer in that library.
> +*/
> + event_notify_null(EVT_MAIN_LOOP);
> +
Are these explicit invocations required? Should fwu_boottime_checks
not get called through run_main_loop() during boot?
-sughosh
> ut_assertok(uclass_first_device_err(UCLASS_FWU_MDATA, &dev));
> ut_assertok(setup_blk_device(uts));
> ut_assertok(populate_mmc_disk_image(uts));
> @@ -112,6 +118,12 @@ static int dm_test_fwu_mdata_write(struct
> unit_test_state *uts)
> struct udevice *dev;
> struct fwu_mdata mdata = { 0 };
>
> + /*
> +* Trigger lib/fwu_updates/fwu.c fwu_boottime_checks()
> +* to populate g_dev global pointer in that library.
> +*/
> + event_notify_null(EVT_MAIN_LOOP);
> +
> ut_assertok(setup_blk_device(uts));
> ut_assertok(populate_mmc_disk_image(uts));
> ut_assertok(write_mmc_blk_device(uts));
> --
> 2.40.1
>
[PATCH v12] scripts/Makefile.lib: Embed capsule public key in platform's dtb
The EFI capsule authentication logic in u-boot expects the public key
in the form of an EFI Signature List(ESL) to be provided as part of
the platform's dtb. Currently, the embedding of the ESL file into the
dtb needs to be done manually.
Add a target for generating a dtsi file which contains the signature
node with the ESL file included as a property under the signature
node. Include the dtsi file in the dtb. This brings the embedding of
the ESL in the dtb into the U-Boot build flow.
The path to the ESL file is specified through the
CONFIG_EFI_CAPSULE_ESL_FILE symbol.
Signed-off-by: Sughosh Ganu
Reviewed-by: Tom Rini
Reviewed-by: Ilias Apalodimas
---
Changes since V11:
* Added a FORCE dependency to the .capsule_esl.dtsi target to ensure
the dtsi's generation on every invocation
Note: This being a minor imporovement on the earlier patch version,
and this being the only change in the 15 patch series, Tom Rini
suggested just re-sending a v12 for this patch.
lib/efi_loader/Kconfig | 8
lib/efi_loader/capsule_esl.dtsi.in | 11 +++
scripts/Makefile.lib | 15 +++
3 files changed, 34 insertions(+)
create mode 100644 lib/efi_loader/capsule_esl.dtsi.in
diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig
index 9989e3f384..d20aaab6db 100644
--- a/lib/efi_loader/Kconfig
+++ b/lib/efi_loader/Kconfig
@@ -272,6 +272,14 @@ config EFI_CAPSULE_MAX
Select the max capsule index value used for capsule report
variables. This value is used to create CapsuleMax variable.
+config EFI_CAPSULE_ESL_FILE
+ string "Path to the EFI Signature List File"
+ depends on EFI_CAPSULE_AUTHENTICATE
+ help
+ Provides the path to the EFI Signature List file which will
+ be embedded in the platform's device tree and used for
+ capsule authentication at the time of capsule update.
+
config EFI_DEVICE_PATH_TO_TEXT
bool "Device path to text protocol"
default y
diff --git a/lib/efi_loader/capsule_esl.dtsi.in
b/lib/efi_loader/capsule_esl.dtsi.in
new file mode 100644
index 00..61a9f2b25e
--- /dev/null
+++ b/lib/efi_loader/capsule_esl.dtsi.in
@@ -0,0 +1,11 @@
+// SPDX-License-Identifier: GPL-2.0+
+/**
+ * Devicetree file with the public key EFI Signature List(ESL)
+ * node. This file is used to generate the dtsi file to be
+ * included into the DTB.
+*/
+/ {
+ signature {
+ capsule-key = /incbin/("ESL_BIN_FILE");
+ };
+};
diff --git a/scripts/Makefile.lib b/scripts/Makefile.lib
index 8c5e25c31c..8dc6ec82cd 100644
--- a/scripts/Makefile.lib
+++ b/scripts/Makefile.lib
@@ -334,6 +334,21 @@ cmd_dtc = mkdir -p $(dir ${dtc-tmp}) ; \
; \
sed "s:$(pre-tmp):$(<):" $(depfile).pre.tmp $(depfile).dtc.tmp >
$(depfile)
+quiet_cmd_capsule_esl_gen = CAPSULE_ESL_GEN $@
+cmd_capsule_esl_gen = \
+ $(shell sed "s:ESL_BIN_FILE:$(capsule_esl_path):"
$(capsule_esl_input_file) > $@)
+
+$(obj)/.capsule_esl.dtsi: FORCE
+ $(call cmd_capsule_esl_gen)
+
+capsule_esl_input_file=$(srctree)/lib/efi_loader/capsule_esl.dtsi.in
+capsule_esl_dtsi = .capsule_esl.dtsi
+capsule_esl_path=$(abspath $(srctree)/$(subst
$(quote),,$(CONFIG_EFI_CAPSULE_ESL_FILE)))
+
+ifdef CONFIG_EFI_CAPSULE_AUTHENTICATE
+dtsi_include_list += $(capsule_esl_dtsi)
+endif
+
dtsi_include_list_deps = $(addprefix $(obj)/,$(subst
$(quote),,$(dtsi_include_list)))
$(obj)/%.dtb: $(src)/%.dts $(DTC) $(dtsi_include_list_deps) FORCE
--
2.34.1
Re: [PATCH 06/19] FMU: Avoid showing an unselectable menu option
On Fri, 25 Aug 2023 at 01:29, Simon Glass wrote: > > Use a menuconfig to avoid showing a menu which cannot be selected in many > cases. > > This option should really go with the other 'Update support'. > > Perhaps we should even consider a top-level update/ directory? > > Signed-off-by: Simon Glass > --- nit: s/FMU/FWU in the commit header. Acked-by: Sughosh Ganu -sughosh > > lib/Kconfig | 4 > lib/fwu_updates/Kconfig | 6 +- > 2 files changed, 5 insertions(+), 5 deletions(-) > > diff --git a/lib/Kconfig b/lib/Kconfig > index 9addcfab3734..bfab2f3165a7 100644 > --- a/lib/Kconfig > +++ b/lib/Kconfig > @@ -1118,8 +1118,4 @@ config PHANDLE_CHECK_SEQ > > endmenu > > -menu "FWU Multi Bank Updates" > - > source lib/fwu_updates/Kconfig > - > -endmenu > diff --git a/lib/fwu_updates/Kconfig b/lib/fwu_updates/Kconfig > index 71f34793d926..be35ad29fa32 100644 > --- a/lib/fwu_updates/Kconfig > +++ b/lib/fwu_updates/Kconfig > @@ -1,4 +1,4 @@ > -config FWU_MULTI_BANK_UPDATE > +menuconfig FWU_MULTI_BANK_UPDATE > bool "Enable FWU Multi Bank Update Feature" > depends on EFI_CAPSULE_ON_DISK > select PARTITION_TYPE_GUID > @@ -10,6 +10,8 @@ config FWU_MULTI_BANK_UPDATE > multiple banks(copies) of the firmware images. One of the > bank is selected for updating all the firmware components > > +if FWU_MULTI_BANK_UPDATE > + > config FWU_NUM_BANKS > int "Number of Banks defined by the platform" > depends on FWU_MULTI_BANK_UPDATE > @@ -31,3 +33,5 @@ config FWU_TRIAL_STATE_CNT > With FWU Multi Bank Update feature enabled, number of times > the platform is allowed to boot in Trial State after an > update. > + > +endif > -- > 2.42.0.rc1.204.g551eb34607-goog >
Re: [PATCH] fwu: Initialize global fwu library state during CI test
On Fri, 25 Aug 2023 at 21:30, Marek Vasut wrote:
>
> On 8/25/23 12:52, Sughosh Ganu wrote:
> > On Wed, 23 Aug 2023 at 05:47, Marek Vasut
> > wrote:
> >>
> >> The current CI test worked by sheer luck, the g_dev global pointer
> >> in the fwu library was never initialized and the test equally well
> >> failed on sandbox64. Trigger the main loop in sandbox tests too to
> >> initialize that global state, and move the sandbox specific exit
> >> from fwu_boottime_checks after g_dev is initialized.
> >>
> >> Signed-off-by: Marek Vasut
> >> ---
> >> Cc: Etienne Carriere
> >> Cc: Ilias Apalodimas
> >> Cc: Jassi Brar
> >> Cc: Masahisa Kojima
> >> Cc: Michal Simek
> >> Cc: Patrick Delaunay
> >> Cc: Simon Glass
> >> Cc: Sughosh Ganu
> >> ---
> >> lib/fwu_updates/fwu.c | 12 ++--
> >> test/dm/fwu_mdata.c | 12
> >> 2 files changed, 18 insertions(+), 6 deletions(-)
> >
> > Acked-by: Sughosh Ganu
> >
> > But I have a question below.
> >
> >>
> >> diff --git a/lib/fwu_updates/fwu.c b/lib/fwu_updates/fwu.c
> >> index 4d0c8b84b9d..22bdc78df59 100644
> >> --- a/lib/fwu_updates/fwu.c
> >> +++ b/lib/fwu_updates/fwu.c
> >> @@ -623,18 +623,18 @@ static int fwu_boottime_checks(void *ctx, struct
> >> event *event)
> >> int ret;
> >> u32 boot_idx, active_idx;
> >>
> >> - /* Don't have boot time checks on sandbox */
> >> - if (IS_ENABLED(CONFIG_SANDBOX)) {
> >> - boottime_check = 1;
> >> - return 0;
> >> - }
> >> -
> >> ret = uclass_first_device_err(UCLASS_FWU_MDATA, &g_dev);
> >> if (ret) {
> >> log_debug("Cannot find fwu device\n");
> >> return ret;
> >> }
> >>
> >> + /* Don't have boot time checks on sandbox */
> >> + if (IS_ENABLED(CONFIG_SANDBOX)) {
> >> + boottime_check = 1;
> >> + return 0;
> >> + }
> >> +
> >> ret = fwu_get_mdata(NULL);
> >> if (ret) {
> >> log_debug("Unable to read meta-data\n");
> >> diff --git a/test/dm/fwu_mdata.c b/test/dm/fwu_mdata.c
> >> index 8b5c83ef4e2..52018f610fe 100644
> >> --- a/test/dm/fwu_mdata.c
> >> +++ b/test/dm/fwu_mdata.c
> >> @@ -93,6 +93,12 @@ static int dm_test_fwu_mdata_read(struct
> >> unit_test_state *uts)
> >> struct udevice *dev;
> >> struct fwu_mdata mdata = { 0 };
> >>
> >> + /*
> >> +* Trigger lib/fwu_updates/fwu.c fwu_boottime_checks()
> >> +* to populate g_dev global pointer in that library.
> >> +*/
> >> + event_notify_null(EVT_MAIN_LOOP);
> >> +
> >
> > Are these explicit invocations required? Should fwu_boottime_checks
> > not get called through run_main_loop() during boot?
>
> board_r.c event_notify_null(EVT_MAIN_LOOP); is not reached in sandbox:
>
> 571 static int run_main_loop(void)
> 572 {
> 573 #ifdef CONFIG_SANDBOX <--- because of this
> 574 sandbox_main_loop_init();
> 575 #endif
> 576
> 577 event_notify_null(EVT_MAIN_LOOP);
Okay. I see that the line on 577 does not get called before the test
when invoked through the command line. Thanks.
-sughosh
[RFC PATCH 0/5] Allow for removal of DT nodes and properties
Provide a way for removing certain devicetree nodes and/or properties from the devicetree. This is needed to purge certain nodes and properties which may be relevant only in U-Boot. Such nodes and properties are then removed from the devicetree before it is passed to the kernel. This ensures that the devicetree passed to the OS does not contain any non-compliant nodes and properties. The removal of the nodes and properties is being done through an EVT_FT_FIXUP handler. I am not sure if the removal code needs to be behind any Kconfig symbol. I have only build tested this on sandbox, and tested on qemu arm64 virt platform. This being a RFC, I have not put this through a CI run. Sughosh Ganu (5): dt: Provide a way to remove non-compliant nodes and properties fwu: Add the fwu-mdata node for removal from devicetree capsule: Add the capsule-key property for removal from devicetree bootefi: Call the EVT_FT_FIXUP event handler doc: Add a document for non-compliant DT node/property removal cmd/bootefi.c | 18 + .../devicetree/dt_non_compliant_purge.rst | 64 drivers/fwu-mdata/fwu-mdata-uclass.c | 5 ++ include/dt-structs.h | 11 +++ lib/Makefile | 1 + lib/dt_purge.c| 73 +++ lib/efi_loader/efi_capsule.c | 7 ++ 7 files changed, 179 insertions(+) create mode 100644 doc/develop/devicetree/dt_non_compliant_purge.rst create mode 100644 lib/dt_purge.c -- 2.34.1
[RFC PATCH 1/5] dt: Provide a way to remove non-compliant nodes and properties
Add a function which is registered to spy for a EVT_FT_FIXUP event,
and removes the non upstreamed nodes and properties from the
devicetree before it gets passed to the OS.
This allows removing entire nodes, or specific properties under nodes
from the devicetree. The required nodes and properties can be
registered for removal through the DT_NON_COMPLIANT_PURGE and
DT_NON_COMPLIANT_PURGE_LIST macros.
Signed-off-by: Sughosh Ganu
---
include/dt-structs.h | 11 +++
lib/Makefile | 1 +
lib/dt_purge.c | 73
3 files changed, 85 insertions(+)
create mode 100644 lib/dt_purge.c
diff --git a/include/dt-structs.h b/include/dt-structs.h
index fa1622cb1d..f535c60471 100644
--- a/include/dt-structs.h
+++ b/include/dt-structs.h
@@ -57,3 +57,14 @@ struct phandle_2_arg {
#endif
#endif
+
+struct dt_non_compliant_purge {
+ const char *node_path;
+ const char *prop;
+};
+
+#define DT_NON_COMPLIANT_PURGE(__name) \
+ ll_entry_declare(struct dt_non_compliant_purge, __name, dt_purge)
+
+#define DT_NON_COMPLIANT_PURGE_LIST(__name)\
+ ll_entry_declare_list(struct dt_non_compliant_purge, __name, dt_purge)
diff --git a/lib/Makefile b/lib/Makefile
index 8d8ccc8bbc..82a906daa0 100644
--- a/lib/Makefile
+++ b/lib/Makefile
@@ -37,6 +37,7 @@ endif
obj-y += crc8.o
obj-y += crc16.o
obj-y += crc16-ccitt.o
+obj-y += dt_purge.o
obj-$(CONFIG_ERRNO_STR) += errno_str.o
obj-$(CONFIG_FIT) += fdtdec_common.o
obj-$(CONFIG_TEST_FDTDEC) += fdtdec_test.o
diff --git a/lib/dt_purge.c b/lib/dt_purge.c
new file mode 100644
index 00..f893ba9796
--- /dev/null
+++ b/lib/dt_purge.c
@@ -0,0 +1,73 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Copyright (c) 2023, Linaro Limited
+ */
+
+#include
+#include
+#include
+
+#include
+
+/**
+ * dt_non_compliant_purge() - Remove non-upstreamed nodes and properties
+ * from the DT
+ * @ctx: Context for event
+ * @event: Event to process
+ *
+ * Iterate through an array of DT nodes and properties, and remove them
+ * from the device-tree before the DT gets handed over to the kernel.
+ * These are nodes and properties which do not have upstream bindings
+ * and need to be purged before being handed over to the kernel.
+ *
+ * If both the node and property are specified, delete the property. If
+ * only the node is specified, delete the entire node, including it's
+ * subnodes, if any.
+ *
+ * Return: 0 if OK, -ve on error
+ */
+static int dt_non_compliant_purge(void *ctx, struct event *event)
+{
+ int nodeoff = 0;
+ int err = 0;
+ void *fdt;
+ const struct event_ft_fixup *fixup = &event->data.ft_fixup;
+ struct dt_non_compliant_purge *purge_entry;
+ struct dt_non_compliant_purge *purge_start =
+ ll_entry_start(struct dt_non_compliant_purge, dt_purge);
+ int nentries = ll_entry_count(struct dt_non_compliant_purge, dt_purge);
+
+ if (fixup->images)
+ return 0;
+
+ fdt = fixup->tree.fdt;
+ for (purge_entry = purge_start; purge_entry != purge_start + nentries;
+purge_entry++) {
+ nodeoff = fdt_path_offset(fdt, purge_entry->node_path);
+ if (nodeoff < 0) {
+ log_debug("Error (%d) getting node offset for %s\n",
+ nodeoff, purge_entry->node_path);
+ continue;
+ }
+
+ if (purge_entry->prop) {
+ err = fdt_delprop(fdt, nodeoff, purge_entry->prop);
+ if (err < 0 && err != -FDT_ERR_NOTFOUND) {
+ log_debug("Error (%d) deleting %s\n",
+ err, purge_entry->prop);
+ goto out;
+ }
+ } else {
+ err = fdt_del_node(fdt, nodeoff);
+ if (err) {
+ log_debug("Error (%d) trying to delete node
%s\n",
+ err, purge_entry->node_path);
+ goto out;
+ }
+ }
+ }
+
+out:
+ return err;
+}
+EVENT_SPY(EVT_FT_FIXUP, dt_non_compliant_purge);
--
2.34.1
[RFC PATCH 2/5] fwu: Add the fwu-mdata node for removal from devicetree
The FWU metadata devicetree node points to the device which stores the
metadata structure. This node is relevant only in U-Boot, and is not
to be passed to the OS. Register for purging this node from the
devicetree, before passing it to the OS.
Signed-off-by: Sughosh Ganu
---
drivers/fwu-mdata/fwu-mdata-uclass.c | 5 +
1 file changed, 5 insertions(+)
diff --git a/drivers/fwu-mdata/fwu-mdata-uclass.c
b/drivers/fwu-mdata/fwu-mdata-uclass.c
index 0a8edaaa41..71411d9c19 100644
--- a/drivers/fwu-mdata/fwu-mdata-uclass.c
+++ b/drivers/fwu-mdata/fwu-mdata-uclass.c
@@ -7,6 +7,7 @@
#include
#include
+#include
#include
#include
#include
@@ -53,3 +54,7 @@ UCLASS_DRIVER(fwu_mdata) = {
.id = UCLASS_FWU_MDATA,
.name = "fwu-mdata",
};
+
+DT_NON_COMPLIANT_PURGE(fwu_mdata) = {
+ .node_path = "/fwu-mdata",
+};
--
2.34.1
[RFC PATCH 3/5] capsule: Add the capsule-key property for removal from devicetree
The capsule-key property contains the public key in the form of an EFI
Signature List(ESL) structure. This property is relevant only in
U-Boot, and is not to be passed to the OS. Register for purging this
property from the devicetree, before passing it to the OS.
Signed-off-by: Sughosh Ganu
---
lib/efi_loader/efi_capsule.c | 7 +++
1 file changed, 7 insertions(+)
diff --git a/lib/efi_loader/efi_capsule.c b/lib/efi_loader/efi_capsule.c
index af8a2ee940..5c6c87458f 100644
--- a/lib/efi_loader/efi_capsule.c
+++ b/lib/efi_loader/efi_capsule.c
@@ -9,6 +9,7 @@
#define LOG_CATEGORY LOGC_EFI
#include
+#include
#include
#include
#include
@@ -403,6 +404,12 @@ out:
return status;
}
+
+DT_NON_COMPLIANT_PURGE(capsule_key) = {
+ .node_path = "/signature",
+ .prop = "capsule-key",
+};
+
#endif /* CONFIG_EFI_CAPSULE_AUTHENTICATE */
static __maybe_unused bool fwu_empty_capsule(struct efi_capsule_header
*capsule)
--
2.34.1
[RFC PATCH 4/5] bootefi: Call the EVT_FT_FIXUP event handler
The bootefi command passes the devicetree to the kernel through the
EFI config table. Call the event handlers for fixing the devicetree
before jumping into the kernel. This removes any devicetree nodes
and/or properties that are specific only to U-Boot, and are not to be
passed to the OS.
Signed-off-by: Sughosh Ganu
---
cmd/bootefi.c | 18 ++
1 file changed, 18 insertions(+)
diff --git a/cmd/bootefi.c b/cmd/bootefi.c
index f73d6eb0e2..c359a46ec4 100644
--- a/cmd/bootefi.c
+++ b/cmd/bootefi.c
@@ -237,6 +237,23 @@ static void *get_config_table(const efi_guid_t *guid)
return NULL;
}
+/**
+ * event_notify_dt_fixup() - call ft_fixup event
+ *
+ * @fdt: address of the device tree to be passed to the kernel
+ * through the configuration table
+ * Return: None
+ */
+static void event_notify_dt_fixup(void *fdt)
+{
+ int ret;
+ struct event_ft_fixup fixup = {0};
+
+ fixup.tree.fdt = fdt;
+ ret = event_notify(EVT_FT_FIXUP, &fixup, sizeof(fixup));
+ if (ret)
+ printf("Error: %d: FDT Fixup event failed\n", ret);
+}
#endif /* !CONFIG_IS_ENABLED(GENERATE_ACPI_TABLE) */
/**
@@ -318,6 +335,7 @@ efi_status_t efi_install_fdt(void *fdt)
efi_carve_out_dt_rsv(fdt);
efi_try_purge_kaslr_seed(fdt);
+ event_notify_dt_fixup(fdt);
if (CONFIG_IS_ENABLED(EFI_TCG2_PROTOCOL_MEASURE_DTB)) {
ret = efi_tcg2_measure_dtb(fdt);
--
2.34.1
[RFC PATCH 5/5] doc: Add a document for non-compliant DT node/property removal
Add a document explaining the need for removal of non-compliant
devicetree nodes and properties. Also describe in brief, the macros
that can be used for this removal.
Signed-off-by: Sughosh Ganu
---
.../devicetree/dt_non_compliant_purge.rst | 64 +++
1 file changed, 64 insertions(+)
create mode 100644 doc/develop/devicetree/dt_non_compliant_purge.rst
diff --git a/doc/develop/devicetree/dt_non_compliant_purge.rst
b/doc/develop/devicetree/dt_non_compliant_purge.rst
new file mode 100644
index 00..c3a8feab5b
--- /dev/null
+++ b/doc/develop/devicetree/dt_non_compliant_purge.rst
@@ -0,0 +1,64 @@
+.. SPDX-License-Identifier: GPL-2.0+
+
+Removal of non-compliant nodes and properties
+=
+
+The devicetree used in U-Boot might contain nodes and properties which
+are specific only to U-Boot, and are not necessarily being used to
+describe hardware but to pass information to U-Boot. An example of
+such a property would be the public key being passed to U-Boot for
+verification.
+
+This devicetree can then be passed to the OS. Since certain nodes and
+properties are not really describing hardware, and more importantly,
+these are only relevant to U-Boot, bindings for these cannot be
+upstreamed into the devicetree repository. There have been instances
+of attempts being made to upstream such bindings, and these deemed not
+fit for upstreaming. Not having a binding for these nodes and
+properties means that the devicetree fails the schema compliance tests
+[1]. This also means that the platform cannot get certifications like
+SystemReady [2] which, among other things require a devicetree which
+passes the schema compliance tests.
+
+For such nodes and properties, it has been suggested by the devicetree
+maintainers that the right thing to do is to remove them from the
+devicetree before it gets passed on to the OS [3].
+
+Removing nodes/properties
+-
+
+In U-Boot, this is been done through adding information on such nodes
+and properties in a list. The entire node can be deleted, or a
+specific property under a node can be deleted. The list of such nodes
+and properties is generated at compile time, and the function to purge
+these can be invoked through a EVT_FT_FIXUP event notify call.
+
+For deleting a node, this can be done by declaring a macro::
+
+ DT_NON_COMPLIANT_PURGE(fwu_mdata) = {
+ .node_path = "/fwu-mdata",
+ };
+
+Similarly, for deleting a property under a node, that can be done by
+specifying the property name::
+
+ DT_NON_COMPLIANT_PURGE(capsule_key) = {
+ .node_path = "/signature",
+ .prop = "capsule-key",
+ };
+
+In the first example, the entire node with path /fwu-mdata will be
+removed. In the second example, the property capsule-key
+under /signature node will be removed.
+
+Similarly, a list of nodes and properties can be specified using the
+following macro::
+
+ DT_NON_COMPLIANT_PURGE_LIST(foo) = {
+ { .node_path = "/some_node", .prop = "some_bar" },
+ { .node_path = "/some_node" },
+ };
+
+[1] - https://github.com/devicetree-org/dt-schema
+[2] -
https://www.arm.com/architecture/system-architectures/systemready-certification-program
+[3] -
https://lore.kernel.org/u-boot/cal_jsqjn4fehoml7z3yj0wj9bpx1ose7zf26l_gv2os6cg-...@mail.gmail.com/
--
2.34.1
Re: [RFC PATCH 1/5] dt: Provide a way to remove non-compliant nodes and properties
On Sat, 26 Aug 2023 at 15:51, Heinrich Schuchardt wrote:
>
>
>
> On 8/26/23 11:06, Sughosh Ganu wrote:
> > Add a function which is registered to spy for a EVT_FT_FIXUP event,
> > and removes the non upstreamed nodes and properties from the
> > devicetree before it gets passed to the OS.
> >
> > This allows removing entire nodes, or specific properties under nodes
> > from the devicetree. The required nodes and properties can be
> > registered for removal through the DT_NON_COMPLIANT_PURGE and
> > DT_NON_COMPLIANT_PURGE_LIST macros.
> >
> > Signed-off-by: Sughosh Ganu
> > ---
> > include/dt-structs.h | 11 +++
> > lib/Makefile | 1 +
> > lib/dt_purge.c | 73
> > 3 files changed, 85 insertions(+)
> > create mode 100644 lib/dt_purge.c
> >
> > diff --git a/include/dt-structs.h b/include/dt-structs.h
> > index fa1622cb1d..f535c60471 100644
> > --- a/include/dt-structs.h
> > +++ b/include/dt-structs.h
> > @@ -57,3 +57,14 @@ struct phandle_2_arg {
> > #endif
> >
> > #endif
> > +
> > +struct dt_non_compliant_purge {
> > + const char *node_path;
> > + const char *prop;
> > +};
> > +
> > +#define DT_NON_COMPLIANT_PURGE(__name) \
> > + ll_entry_declare(struct dt_non_compliant_purge, __name, dt_purge)
> > +
> > +#define DT_NON_COMPLIANT_PURGE_LIST(__name) \
> > + ll_entry_declare_list(struct dt_non_compliant_purge, __name, dt_purge)
> > diff --git a/lib/Makefile b/lib/Makefile
> > index 8d8ccc8bbc..82a906daa0 100644
> > --- a/lib/Makefile
> > +++ b/lib/Makefile
> > @@ -37,6 +37,7 @@ endif
> > obj-y += crc8.o
> > obj-y += crc16.o
> > obj-y += crc16-ccitt.o
> > +obj-y += dt_purge.o
> > obj-$(CONFIG_ERRNO_STR) += errno_str.o
> > obj-$(CONFIG_FIT) += fdtdec_common.o
> > obj-$(CONFIG_TEST_FDTDEC) += fdtdec_test.o
> > diff --git a/lib/dt_purge.c b/lib/dt_purge.c
> > new file mode 100644
> > index 00..f893ba9796
> > --- /dev/null
> > +++ b/lib/dt_purge.c
> > @@ -0,0 +1,73 @@
> > +// SPDX-License-Identifier: GPL-2.0-or-later
> > +/*
> > + * Copyright (c) 2023, Linaro Limited
> > + */
> > +
> > +#include
> > +#include
> > +#include
> > +
> > +#include
> > +
> > +/**
> > + * dt_non_compliant_purge() -Remove non-upstreamed nodes and
> > properties
> > + * from the DT
> > + * @ctx: Context for event
> > + * @event: Event to process
> > + *
> > + * Iterate through an array of DT nodes and properties, and remove them
> > + * from the device-tree before the DT gets handed over to the kernel.
> > + * These are nodes and properties which do not have upstream bindings
> > + * and need to be purged before being handed over to the kernel.
> > + *
> > + * If both the node and property are specified, delete the property. If
> > + * only the node is specified, delete the entire node, including it's
> > + * subnodes, if any.
> > + *
> > + * Return: 0 if OK, -ve on error
> > + */
> > +static int dt_non_compliant_purge(void *ctx, struct event *event)
> > +{
> > + int nodeoff = 0;
> > + int err = 0;
> > + void *fdt;
> > + const struct event_ft_fixup *fixup = &event->data.ft_fixup;
> > + struct dt_non_compliant_purge *purge_entry;
> > + struct dt_non_compliant_purge *purge_start =
> > + ll_entry_start(struct dt_non_compliant_purge, dt_purge);
> > + int nentries = ll_entry_count(struct dt_non_compliant_purge,
> > dt_purge);
> > +
> > + if (fixup->images)
> > + return 0;
> > +
> > + fdt = fixup->tree.fdt;
> > + for (purge_entry = purge_start; purge_entry != purge_start + nentries;
> > + purge_entry++) {
> > + nodeoff = fdt_path_offset(fdt, purge_entry->node_path);
> > + if (nodeoff < 0) {
> > + log_debug("Error (%d) getting node offset for %s\n",
> > + nodeoff, purge_entry->node_path);
> > + continue;
> > + }
> > +
> > + if (purge_entry->prop) {
> > + err = fdt_delprop(fdt, nodeoff, purge_entry->prop);
> > + if (err < 0 && err != -FDT_ERR_NOTFOUND) {
> > + log_debug("Error (%d) deleting %s\n",
> &
Re: [RFC PATCH 1/5] dt: Provide a way to remove non-compliant nodes and properties
On Sat, 26 Aug 2023 at 16:09, Heinrich Schuchardt wrote:
>
> On 8/26/23 11:06, Sughosh Ganu wrote:
> > Add a function which is registered to spy for a EVT_FT_FIXUP event,
> > and removes the non upstreamed nodes and properties from the
> > devicetree before it gets passed to the OS.
> >
> > This allows removing entire nodes, or specific properties under nodes
> > from the devicetree. The required nodes and properties can be
> > registered for removal through the DT_NON_COMPLIANT_PURGE and
> > DT_NON_COMPLIANT_PURGE_LIST macros.
> >
> > Signed-off-by: Sughosh Ganu
> > ---
> > include/dt-structs.h | 11 +++
> > lib/Makefile | 1 +
> > lib/dt_purge.c | 73
> > 3 files changed, 85 insertions(+)
> > create mode 100644 lib/dt_purge.c
> >
> > diff --git a/include/dt-structs.h b/include/dt-structs.h
> > index fa1622cb1d..f535c60471 100644
> > --- a/include/dt-structs.h
> > +++ b/include/dt-structs.h
> > @@ -57,3 +57,14 @@ struct phandle_2_arg {
> > #endif
> >
> > #endif
> > +
> > +struct dt_non_compliant_purge {
> > + const char *node_path;
> > + const char *prop;
> > +};
> > +
> > +#define DT_NON_COMPLIANT_PURGE(__name) \
> > + ll_entry_declare(struct dt_non_compliant_purge, __name, dt_purge)
> > +
> > +#define DT_NON_COMPLIANT_PURGE_LIST(__name) \
> > + ll_entry_declare_list(struct dt_non_compliant_purge, __name, dt_purge)
> > diff --git a/lib/Makefile b/lib/Makefile
> > index 8d8ccc8bbc..82a906daa0 100644
> > --- a/lib/Makefile
> > +++ b/lib/Makefile
> > @@ -37,6 +37,7 @@ endif
> > obj-y += crc8.o
> > obj-y += crc16.o
> > obj-y += crc16-ccitt.o
> > +obj-y += dt_purge.o
>
> SPL can be the last boot stage (e.g. for Falcon Mode). So placing this
> under 'ifndef CONFIG_SPL_BUILD' is not correct.
>
> You need some logic that identifies into which boot stage this code
> belongs, e.g. use obj-$(CONFIG_$(SPL_TPL_)OF_LIBFDT).
Okay. Will check and add this under the suggested config symbol.
-sughosh
>
> Best regards
>
> Heinrich
>
> > obj-$(CONFIG_ERRNO_STR) += errno_str.o
> > obj-$(CONFIG_FIT) += fdtdec_common.o
> > obj-$(CONFIG_TEST_FDTDEC) += fdtdec_test.o
> > diff --git a/lib/dt_purge.c b/lib/dt_purge.c
> > new file mode 100644
> > index 00..f893ba9796
> > --- /dev/null
> > +++ b/lib/dt_purge.c
> > @@ -0,0 +1,73 @@
> > +// SPDX-License-Identifier: GPL-2.0-or-later
> > +/*
> > + * Copyright (c) 2023, Linaro Limited
> > + */
> > +
> > +#include
> > +#include
> > +#include
> > +
> > +#include
> > +
> > +/**
> > + * dt_non_compliant_purge() -Remove non-upstreamed nodes and
> > properties
> > + * from the DT
> > + * @ctx: Context for event
> > + * @event: Event to process
> > + *
> > + * Iterate through an array of DT nodes and properties, and remove them
> > + * from the device-tree before the DT gets handed over to the kernel.
> > + * These are nodes and properties which do not have upstream bindings
> > + * and need to be purged before being handed over to the kernel.
> > + *
> > + * If both the node and property are specified, delete the property. If
> > + * only the node is specified, delete the entire node, including it's
> > + * subnodes, if any.
> > + *
> > + * Return: 0 if OK, -ve on error
> > + */
> > +static int dt_non_compliant_purge(void *ctx, struct event *event)
> > +{
> > + int nodeoff = 0;
> > + int err = 0;
> > + void *fdt;
> > + const struct event_ft_fixup *fixup = &event->data.ft_fixup;
> > + struct dt_non_compliant_purge *purge_entry;
> > + struct dt_non_compliant_purge *purge_start =
> > + ll_entry_start(struct dt_non_compliant_purge, dt_purge);
> > + int nentries = ll_entry_count(struct dt_non_compliant_purge,
> > dt_purge);
> > +
> > + if (fixup->images)
> > + return 0;
> > +
> > + fdt = fixup->tree.fdt;
> > + for (purge_entry = purge_start; purge_entry != purge_start + nentries;
> > + purge_entry++) {
> > + nodeoff = fdt_path_offset(fdt, purge_entry->node_path);
> > + if (nodeoff < 0) {
> > + log_debug("Error (%d) getting node offset for %s\n",
> > +
Re: [RFC PATCH 0/5] Allow for removal of DT nodes and properties
On Sat, 26 Aug 2023 at 15:36, Heinrich Schuchardt wrote: > > On 8/26/23 11:06, Sughosh Ganu wrote: > > > > Provide a way for removing certain devicetree nodes and/or properties > > from the devicetree. This is needed to purge certain nodes and > > properties which may be relevant only in U-Boot. Such nodes and > > properties are then removed from the devicetree before it is passed to > > the kernel. This ensures that the devicetree passed to the OS does not > > contain any non-compliant nodes and properties. > > > > The removal of the nodes and properties is being done through an > > EVT_FT_FIXUP handler. I am not sure if the removal code needs to be > > behind any Kconfig symbol. > > > > I have only build tested this on sandbox, and tested on qemu arm64 > > virt platform. This being a RFC, I have not put this through a CI run. > > We should have a test for the new functionality. E.g. add some > superfluous properties and nodes to arch/sandbox/dts/test.dts, delete > them via the DT_PURGE macro, and check that the device-tree passed to an > EFI binary does not contain these properties and nodes. Yes, I plan to have a test in the non-RFC version. I was thinking of adding a command and then using that to test the functionality. -sughosh > > Best regards > > Heinrich > > > > > Sughosh Ganu (5): > >dt: Provide a way to remove non-compliant nodes and properties > >fwu: Add the fwu-mdata node for removal from devicetree > >capsule: Add the capsule-key property for removal from devicetree > >bootefi: Call the EVT_FT_FIXUP event handler > >doc: Add a document for non-compliant DT node/property removal > > > > cmd/bootefi.c | 18 + > > .../devicetree/dt_non_compliant_purge.rst | 64 > > drivers/fwu-mdata/fwu-mdata-uclass.c | 5 ++ > > include/dt-structs.h | 11 +++ > > lib/Makefile | 1 + > > lib/dt_purge.c| 73 +++ > > lib/efi_loader/efi_capsule.c | 7 ++ > > 7 files changed, 179 insertions(+) > > create mode 100644 doc/develop/devicetree/dt_non_compliant_purge.rst > > create mode 100644 lib/dt_purge.c > >
Re: [RFC PATCH 4/5] bootefi: Call the EVT_FT_FIXUP event handler
On Sat, 26 Aug 2023 at 15:57, Heinrich Schuchardt wrote:
>
> On 8/26/23 11:06, Sughosh Ganu wrote:
> > The bootefi command passes the devicetree to the kernel through the
> > EFI config table. Call the event handlers for fixing the devicetree
> > before jumping into the kernel. This removes any devicetree nodes
> > and/or properties that are specific only to U-Boot, and are not to be
> > passed to the OS.
> >
> > Signed-off-by: Sughosh Ganu
> > ---
> > cmd/bootefi.c | 18 ++
> > 1 file changed, 18 insertions(+)
> >
> > diff --git a/cmd/bootefi.c b/cmd/bootefi.c
> > index f73d6eb0e2..c359a46ec4 100644
> > --- a/cmd/bootefi.c
> > +++ b/cmd/bootefi.c
> > @@ -237,6 +237,23 @@ static void *get_config_table(const efi_guid_t *guid)
> > return NULL;
> > }
> >
> > +/**
> > + * event_notify_dt_fixup() - call ft_fixup event
> > + *
> > + * @fdt: address of the device tree to be passed to the kernel
> > + * through the configuration table
> > + * Return: None
> > + */
> > +static void event_notify_dt_fixup(void *fdt)
> > +{
> > + int ret;
> > + struct event_ft_fixup fixup = {0};
> > +
> > + fixup.tree.fdt = fdt;
> > + ret = event_notify(EVT_FT_FIXUP, &fixup, sizeof(fixup));
> > + if (ret)
> > + printf("Error: %d: FDT Fixup event failed\n", ret);
> > +}
> > #endif /* !CONFIG_IS_ENABLED(GENERATE_ACPI_TABLE) */
> >
> > /**
> > @@ -318,6 +335,7 @@ efi_status_t efi_install_fdt(void *fdt)
> > efi_carve_out_dt_rsv(fdt);
> >
> > efi_try_purge_kaslr_seed(fdt);
> > + event_notify_dt_fixup(fdt);
>
> The event is already triggered in image_setup_libfdt(). Don't trigger it
> twice.
The reason I put an explicit event_notify call is because the
image_setup_libfdt() call only calls the ft_fixup handlers if the
livetree is not active. So the fixup handlers would not be called on
platforms that enable livetree. Although I'm not sure if livetree
should be disabled before the ft fixup has to happen, or platforms
that need ft fixup should not enable OF_LIVE. Disabling the livetree
is not happening now, so I am not sure how the fixup event should work
on platforms which have OF_LIVE enabled.
-sughosh
>
> Best regards
>
> Heinrich
>
> >
> > if (CONFIG_IS_ENABLED(EFI_TCG2_PROTOCOL_MEASURE_DTB)) {
> > ret = efi_tcg2_measure_dtb(fdt);
>
Re: [RFC PATCH 5/5] doc: Add a document for non-compliant DT node/property removal
On Sat, 26 Aug 2023 at 15:35, Heinrich Schuchardt wrote:
>
> On 8/26/23 11:06, Sughosh Ganu wrote:
> > Add a document explaining the need for removal of non-compliant
> > devicetree nodes and properties. Also describe in brief, the macros
> > that can be used for this removal.
> >
> > Signed-off-by: Sughosh Ganu
>
> Thanks for properly documenting the change.
>
> Warning, treated as error:
> doc/develop/devicetree/dt_non_compliant_purge.rst:
> document isn't included in any toctree
>
> Please, add the document to doc/develop/devicetree/index.rst
>
> Please, run make htmldocs before resubmitting.
>
> > ---
> > .../devicetree/dt_non_compliant_purge.rst | 64 +++
> > 1 file changed, 64 insertions(+)
> > create mode 100644 doc/develop/devicetree/dt_non_compliant_purge.rst
> >
> > diff --git a/doc/develop/devicetree/dt_non_compliant_purge.rst
> > b/doc/develop/devicetree/dt_non_compliant_purge.rst
> > new file mode 100644
> > index 00..c3a8feab5b
> > --- /dev/null
> > +++ b/doc/develop/devicetree/dt_non_compliant_purge.rst
> > @@ -0,0 +1,64 @@
> > +.. SPDX-License-Identifier: GPL-2.0+
> > +
> > +Removal of non-compliant nodes and properties
> > +=
> > +
> > +The devicetree used in U-Boot might contain nodes and properties which
> > +are specific only to U-Boot, and are not necessarily being used to
> > +describe hardware but to pass information to U-Boot. An example of
> > +such a property would be the public key being passed to U-Boot for
> > +verification.
> > +
> > +This devicetree can then be passed to the OS. Since certain nodes and
> > +properties are not really describing hardware, and more importantly,
> > +these are only relevant to U-Boot, bindings for these cannot be
> > +upstreamed into the devicetree repository. There have been instances
> > +of attempts being made to upstream such bindings, and these deemed not
>
> but these were not deemed fit
>
> > +fit for upstreaming. Not having a binding for these nodes and
> > +properties means that the devicetree fails the schema compliance tests
> > +[1]. This also means that the platform cannot get certifications like
> > +SystemReady [2] which, among other things require a devicetree which
>
> %s/require/requires/
>
> > +passes the schema compliance tests.
> > +
> > +For such nodes and properties, it has been suggested by the devicetree
> > +maintainers that the right thing to do is to remove them from the
>
> %s/that the right thing to do is//
>
> > +devicetree before it gets passed on to the OS [3].
>
> %s/on to/to/
>
> > +
> > +Removing nodes/properties
> > +-
> > +
> > +In U-Boot, this is been done through adding information on such nodes
>
> %s/is been done through/is done by/
>
> > +and properties in a list. The entire node can be deleted, or a
> > +specific property under a node can be deleted. The list of such nodes
> > +and properties is generated at compile time, and the function to purge
> > +these can be invoked through a EVT_FT_FIXUP event notify call.
> > +
> > +For deleting a node, this can be done by declaring a macro::
> > +
> > + DT_NON_COMPLIANT_PURGE(fwu_mdata) = {
> > + .node_path = "/fwu-mdata",
> > + };
>
> Where should such a macro be placed?
It should be placed in any file that will get compiled.
>
> > +
> > +Similarly, for deleting a property under a node, that can be done by
> > +specifying the property name::
> > +
> > + DT_NON_COMPLIANT_PURGE(capsule_key) = {
> > + .node_path = "/signature",
> > + .prop = "capsule-key",
> > + };
>
> Why is capsule_key needed twice here? What would be the effect of:
>
> DT_NON_COMPLIANT_PURGE(voodoo) = {
> .node_path = "/signature",
> .prop = "capsule-key",
> };
In your above example, voodoo just happens to be the name of the entry
that will be created. But the property that will be searched in the
devicetree for removal is "capsule-key".
>
> > +
> > +In the first example, the entire node with path /fwu-mdata will be
> > +removed. In the second example, the property capsule-key
> > +under /signature node will be removed.
> > +
> > +Similarly, a list of nodes and properties can be specified using the
> > +following macro::
> > +
> > + DT_NON_COMPLIANT_PURGE_LIST(foo)
Re: [RFC PATCH 5/5] doc: Add a document for non-compliant DT node/property removal
hi Simon,
On Mon, 28 Aug 2023 at 23:25, Simon Glass wrote:
>
> Hi Sughosh,
>
> On Sat, 26 Aug 2023 at 03:07, Sughosh Ganu wrote:
> >
> > Add a document explaining the need for removal of non-compliant
> > devicetree nodes and properties. Also describe in brief, the macros
> > that can be used for this removal.
> >
> > Signed-off-by: Sughosh Ganu
> > ---
> > .../devicetree/dt_non_compliant_purge.rst | 64 +++
> > 1 file changed, 64 insertions(+)
> > create mode 100644 doc/develop/devicetree/dt_non_compliant_purge.rst
> >
> > diff --git a/doc/develop/devicetree/dt_non_compliant_purge.rst
> > b/doc/develop/devicetree/dt_non_compliant_purge.rst
> > new file mode 100644
> > index 00..c3a8feab5b
> > --- /dev/null
> > +++ b/doc/develop/devicetree/dt_non_compliant_purge.rst
> > @@ -0,0 +1,64 @@
> > +.. SPDX-License-Identifier: GPL-2.0+
> > +
> > +Removal of non-compliant nodes and properties
> > +=
> > +
> > +The devicetree used in U-Boot might contain nodes and properties which
> > +are specific only to U-Boot, and are not necessarily being used to
> > +describe hardware but to pass information to U-Boot. An example of
> > +such a property would be the public key being passed to U-Boot for
> > +verification.
>
> It has nothing to do with describing hardware. The DT can describe
> other things too. See the /options node, for example.
>
> Please don't bring this highly misleading language into U-Boot.
Please point out what is misleading in the above paragraph. What is
being emphasised in the above paragraph is that certain nodes and
properties in the devicetree are relevant only in u-boot, and not the
kernel. And this is precisely what the devicetree maintainers are
saying [1].
>
> > +
> > +This devicetree can then be passed to the OS. Since certain nodes and
> > +properties are not really describing hardware, and more importantly,
> > +these are only relevant to U-Boot, bindings for these cannot be
> > +upstreamed into the devicetree repository. There have been instances
> > +of attempts being made to upstream such bindings, and these deemed not
> > +fit for upstreaming.
>
> Then either they should not be in U-Boot, or there is a problem with
> the process.
>
> > Not having a binding for these nodes and
> > +properties means that the devicetree fails the schema compliance tests
> > +[1]. This also means that the platform cannot get certifications like
> > +SystemReady [2] which, among other things require a devicetree which
> > +passes the schema compliance tests.
> > +
> > +For such nodes and properties, it has been suggested by the devicetree
> > +maintainers that the right thing to do is to remove them from the
> > +devicetree before it gets passed on to the OS [3].
>
> Hard NAK. If we go this way, then no one will ever have an incentive
> to do the right thing.
>
> Please send bindings for Linaro's work, instead. If something is
> entirely U-Boot-specific, then it can go in /options/u-boot but it
> still must be in the dt-schema.
Please re-read the document including the last link [1]. If you go
through that entire thread, you will notice that this is precisely
what Linaro was trying to do here -- upstream the binding for the
fwu-mdata node. It is only based on the feedback of the devicetree
maintainers that this patchset was required.
-sughosh
[1] -
https://lore.kernel.org/u-boot/cal_jsqjn4fehoml7z3yj0wj9bpx1ose7zf26l_gv2os6cg-...@mail.gmail.com/#t
>
> > +
> > +Removing nodes/properties
> > +-
> > +
> > +In U-Boot, this is been done through adding information on such nodes
> > +and properties in a list. The entire node can be deleted, or a
> > +specific property under a node can be deleted. The list of such nodes
> > +and properties is generated at compile time, and the function to purge
> > +these can be invoked through a EVT_FT_FIXUP event notify call.
> > +
> > +For deleting a node, this can be done by declaring a macro::
> > +
> > + DT_NON_COMPLIANT_PURGE(fwu_mdata) = {
> > + .node_path = "/fwu-mdata",
> > + };
> > +
> > +Similarly, for deleting a property under a node, that can be done by
> > +specifying the property name::
> > +
> > + DT_NON_COMPLIANT_PURGE(capsule_key) = {
> > + .node_path = "/signature",
> > + .prop = "capsule-key",
> > + };
> > +
> > +In the first example, the entire node with p
Re: [RFC PATCH 5/5] doc: Add a document for non-compliant DT node/property removal
hi Simon, On Tue, 29 Aug 2023 at 22:55, Simon Glass wrote: > > Hi Sughosh, > > On Mon, 28 Aug 2023 at 12:35, Sughosh Ganu wrote: > > > > hi Simon, > > > > On Mon, 28 Aug 2023 at 23:25, Simon Glass wrote: > > > > > > Hi Sughosh, > > > > > > On Sat, 26 Aug 2023 at 03:07, Sughosh Ganu > > > wrote: > > > > > > > > Add a document explaining the need for removal of non-compliant > > > > devicetree nodes and properties. Also describe in brief, the macros > > > > that can be used for this removal. > > > > > > > > Signed-off-by: Sughosh Ganu > > > > --- > > > > .../devicetree/dt_non_compliant_purge.rst | 64 +++ > > > > 1 file changed, 64 insertions(+) > > > > create mode 100644 doc/develop/devicetree/dt_non_compliant_purge.rst > > > > > > > > diff --git a/doc/develop/devicetree/dt_non_compliant_purge.rst > > > > b/doc/develop/devicetree/dt_non_compliant_purge.rst > > > > new file mode 100644 > > > > index 00..c3a8feab5b > > > > --- /dev/null > > > > +++ b/doc/develop/devicetree/dt_non_compliant_purge.rst > > > > @@ -0,0 +1,64 @@ > > > > +.. SPDX-License-Identifier: GPL-2.0+ > > > > + > > > > +Removal of non-compliant nodes and properties > > > > += > > > > + > > > > +The devicetree used in U-Boot might contain nodes and properties which > > > > +are specific only to U-Boot, and are not necessarily being used to > > > > +describe hardware but to pass information to U-Boot. An example of > > > > +such a property would be the public key being passed to U-Boot for > > > > +verification. > > > > > > It has nothing to do with describing hardware. The DT can describe > > > other things too. See the /options node, for example. > > > > > > Please don't bring this highly misleading language into U-Boot. > > > > Please point out what is misleading in the above paragraph. What is > > being emphasised in the above paragraph is that certain nodes and > > properties in the devicetree are relevant only in u-boot, and not the > > kernel. And this is precisely what the devicetree maintainers are > > saying [1]. > > That is not relevant though...we need to make sure all the nodes are > in the dt schema. > > It is misleading because you imply that DT should only describe > hardware. That is not true. > > > > > > > > > > + > > > > +This devicetree can then be passed to the OS. Since certain nodes and > > > > +properties are not really describing hardware, and more importantly, > > > > +these are only relevant to U-Boot, bindings for these cannot be > > > > +upstreamed into the devicetree repository. There have been instances > > > > +of attempts being made to upstream such bindings, and these deemed not > > > > +fit for upstreaming. > > > > > > Then either they should not be in U-Boot, or there is a problem with > > > the process. > > > > > > > Not having a binding for these nodes and > > > > +properties means that the devicetree fails the schema compliance tests > > > > +[1]. This also means that the platform cannot get certifications like > > > > +SystemReady [2] which, among other things require a devicetree which > > > > +passes the schema compliance tests. > > > > + > > > > +For such nodes and properties, it has been suggested by the devicetree > > > > +maintainers that the right thing to do is to remove them from the > > > > +devicetree before it gets passed on to the OS [3]. > > > > > > Hard NAK. If we go this way, then no one will ever have an incentive > > > to do the right thing. > > > > > > Please send bindings for Linaro's work, instead. If something is > > > entirely U-Boot-specific, then it can go in /options/u-boot but it > > > still must be in the dt-schema. > > > > Please re-read the document including the last link [1]. If you go > > through that entire thread, you will notice that this is precisely > > what Linaro was trying to do here -- upstream the binding for the > > fwu-mdata node. It is only based on the feedback of the devicetree > > maintainers that this patchset was required. > > It looks like it should go in /options/u-boot ? Can you resubmit it there? Okay
[PATCH 0/8] Add some more EFI capsule tooling support
Recently, a set of patches were merged in next, which were adding support for generating capsules as part of the U-Boot build. Mid way through the review of those patches, it was decided to drop the patches for generating capsules through a config file. That was primarily due to the use of absolute paths in binman for testing the capsule genertion through config file. Now that the base set of patches have been merged, this series is picking up the remaining patches for review. This series addresses the concern that Simon Glass had with the use of absolute paths. The first set of patches are adding support for generating capsules by parsing the capsule parameters through a config file, and adding a binman entry type for this. These are patches 1-5. The other set of patches is for generating empty accept and revert capsules through binman. These capsules are needed for the FWU A/B update functionality. Sughosh Ganu (8): tools: mkeficapsule: Add support for parsing capsule params from config file btool: mkeficapsule: Generate capsule through a config file binman: capsule: Generate capsules through config file doc: Document capsule generation through a config file sandbox: capsule: Add a config file for generating capsules test: capsule: Generate capsules through config file btool: mkeficapsule: Add support for EFI empty capsule generation binman: capsule: Add support for generating EFI empty capsules configs/sandbox_defconfig | 2 + doc/develop/uefi/uefi.rst | 70 .../test_efi_capsule/capsule_gen_binman.dts | 8 + test/py/tests/test_efi_capsule/conftest.py| 18 +- .../test_efi_capsule/sandbox_capsule_cfg.txt | 162 tools/Kconfig | 16 + tools/Makefile| 1 + tools/binman/btool/mkeficapsule.py| 45 +++ tools/binman/entries.rst | 35 ++ tools/binman/etype/efi_capsule_cfg_file.py| 66 tools/binman/etype/efi_empty_capsule.py | 91 + tools/binman/ftest.py | 81 tools/binman/test/319_capsule_cfg.dts | 15 + tools/binman/test/320_capsule_accept.dts | 16 + tools/binman/test/321_capsule_revert.dts | 14 + .../test/322_capsule_accept_missing_guid.dts | 14 + .../binman/test/323_capsule_accept_revert.dts | 17 + tools/eficapsule.h| 115 ++ tools/mkeficapsule.c | 87 +++-- tools/mkeficapsule_parse.c| 352 ++ 20 files changed, 1190 insertions(+), 35 deletions(-) create mode 100644 test/py/tests/test_efi_capsule/sandbox_capsule_cfg.txt create mode 100644 tools/binman/etype/efi_capsule_cfg_file.py create mode 100644 tools/binman/etype/efi_empty_capsule.py create mode 100644 tools/binman/test/319_capsule_cfg.dts create mode 100644 tools/binman/test/320_capsule_accept.dts create mode 100644 tools/binman/test/321_capsule_revert.dts create mode 100644 tools/binman/test/322_capsule_accept_missing_guid.dts create mode 100644 tools/binman/test/323_capsule_accept_revert.dts create mode 100644 tools/mkeficapsule_parse.c -- 2.34.1
[PATCH 1/8] tools: mkeficapsule: Add support for parsing capsule params from config file
Add support for specifying the parameters needed for capsule
generation through a config file, instead of passing them through
command-line. Parameters for more than a single capsule file can be
specified, resulting in generation of multiple capsules through a
single invocation of the command.
Signed-off-by: Sughosh Ganu
---
tools/Kconfig | 16 ++
tools/Makefile | 1 +
tools/eficapsule.h | 115
tools/mkeficapsule.c | 87 +
tools/mkeficapsule_parse.c | 352 +
5 files changed, 540 insertions(+), 31 deletions(-)
create mode 100644 tools/mkeficapsule_parse.c
diff --git a/tools/Kconfig b/tools/Kconfig
index 6e23f44d55..88ea3567d0 100644
--- a/tools/Kconfig
+++ b/tools/Kconfig
@@ -98,6 +98,22 @@ config TOOLS_MKEFICAPSULE
optionally sign that file. If you want to enable UEFI capsule
update feature on your target, you certainly need this.
+config EFI_CAPSULE_CFG_FILE
+ string "Path to the EFI Capsule Config File"
+ default ""
+ help
+ Path to the EFI capsule config file which provides the
+ parameters needed to build capsule(s). Parameters can be
+ provided for multiple payloads resulting in corresponding
+ capsule images being generated.
+
+config EFI_USE_CAPSULE_CFG_FILE
+ bool "Use the config file for generating capsules"
+ help
+ Boolean option used to specify if the EFI capsules are to
+ be generated through parameters specified via the config
+ file or through command line.
+
menuconfig FSPI_CONF_HEADER
bool "FlexSPI Header Configuration"
help
diff --git a/tools/Makefile b/tools/Makefile
index 3d0c4b0dd6..eb129e3bb2 100644
--- a/tools/Makefile
+++ b/tools/Makefile
@@ -250,6 +250,7 @@ HOSTLDLIBS_mkeficapsule += \
HOSTLDLIBS_mkeficapsule += \
$(shell pkg-config --libs uuid 2> /dev/null || echo "-luuid")
hostprogs-$(CONFIG_TOOLS_MKEFICAPSULE) += mkeficapsule
+mkeficapsule-objs := mkeficapsule.o mkeficapsule_parse.o
mkfwumdata-objs := mkfwumdata.o generated/lib/crc32.o
HOSTLDLIBS_mkfwumdata += -luuid
diff --git a/tools/eficapsule.h b/tools/eficapsule.h
index 2099a2e9b8..d455ac1d6f 100644
--- a/tools/eficapsule.h
+++ b/tools/eficapsule.h
@@ -52,6 +52,12 @@ typedef struct {
/* flags */
#define CAPSULE_FLAGS_PERSIST_ACROSS_RESET 0x0001
+enum capsule_type {
+ CAPSULE_NORMAL_BLOB = 0,
+ CAPSULE_ACCEPT,
+ CAPSULE_REVERT,
+};
+
struct efi_capsule_header {
efi_guid_t capsule_guid;
uint32_t header_size;
@@ -113,6 +119,7 @@ struct efi_firmware_image_authentication {
struct win_certificate_uefi_guid auth_info;
} __packed;
+
/* fmp payload header */
#define SIGNATURE_16(A, B) ((A) | ((B) << 8))
#define SIGNATURE_32(A, B, C, D) \
@@ -143,4 +150,112 @@ struct fmp_payload_header_params {
uint32_t fw_version;
};
+/**
+ * struct efi_capsule_params - Capsule parameters
+ * @image_guid: Guid value of the payload input image
+ * @image_index: Image index value
+ * @hardware_instance: Hardware instance to be used for the image
+ * @fmp: FMP payload header used for storing firmware version
+ * @monotonic_count: Monotonic count value to be used for signed capsule
+ * @privkey_file: Path to private key used in capsule signing
+ * @cert_file: Path to public key certificate used in capsule signing
+ * @input_file: Path to payload input image
+ * @capsule_file: Path to the output capsule file
+ * @oemflags: Oemflags to be populated in the capsule header
+ * @capsule: Capsule Type, normal or accept or revert
+ */
+struct efi_capsule_params {
+ efi_guid_t *image_guid;
+ unsigned long image_index;
+ unsigned long hardware_instance;
+ struct fmp_payload_header_params fmp;
+ uint64_t monotonic_count;
+ char *privkey_file;
+ char *cert_file;
+ char *input_file;
+ char *capsule_file;
+ unsigned long oemflags;
+ enum capsule_type capsule;
+};
+
+/**
+ * capsule_with_cfg_file() - Generate capsule from config file
+ * @cfg_file: Path to the config file
+ *
+ * Parse the capsule parameters from the config file and use the
+ * parameters for generating one or more capsules.
+ *
+ * Return: None
+ *
+ */
+void capsule_with_cfg_file(const char *cfg_file);
+
+/**
+ * convert_uuid_to_guid() - convert UUID to GUID
+ * @buf: UUID binary
+ *
+ * UUID and GUID have the same data structure, but their binary
+ * formats are different due to the endianness. See lib/uuid.c.
+ * Since uuid_parse() can handle only UUID, this function must
+ * be called to get correct data for GUID when parsing a string.
+ *
+ * The correct data will be returned in @buf.
+ */
+void convert_uuid_to_guid(unsigned char *buf);
+
+/**
+ * create_empty_capsule() - Generate an empty capsule
+ * @path: Path to the empty capsule file t
[PATCH 2/8] btool: mkeficapsule: Generate capsule through a config file
Add support to the mkeficapsule bintool for generating EFI capsules
through a config file.
Signed-off-by: Sughosh Ganu
---
tools/binman/btool/mkeficapsule.py | 16
1 file changed, 16 insertions(+)
diff --git a/tools/binman/btool/mkeficapsule.py
b/tools/binman/btool/mkeficapsule.py
index 61179747ff..b0599aa506 100644
--- a/tools/binman/btool/mkeficapsule.py
+++ b/tools/binman/btool/mkeficapsule.py
@@ -20,6 +20,7 @@ Options:
-A, --fw-accept firmware accept capsule, requires GUID, no image blob
-R, --fw-revert firmware revert capsule, takes no GUID, no image blob
-o, --capoemflag Capsule OEM Flag, an integer between 0x and 0x
+ -f, --cfg-file config file with capsule parameters
-h, --help print a help message
"""
@@ -80,6 +81,21 @@ class Bintoolmkeficapsule(bintool.Bintool):
return self.run_cmd(*args)
+def generate_capsule_cfg_file(self, cfg_file):
+"""Generate a capsule reading parameters from config file
+
+Args:
+cfg_file (str): Path to the config file
+
+Returns:
+None
+"""
+args = [
+f'--cfg-file={cfg_file}'
+]
+
+self.run_cmd(*args)
+
def fetch(self, method):
"""Fetch handler for mkeficapsule
--
2.34.1
